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Abstract 


Allowing  access  to  resources,  including  data  and  hardware,  without  compromising  their  security 
is  a  fundamental  challenge  in  computer  science.  Because  of  the  number  and  complexity  of  au¬ 
thorization  policies  in  access  control  systems,  it  is  clear  that  ad  hoc  methods  for  specifying  and 
enforcing  policies  cannot  inspire  a  high  degree  of  trust.  Authorization  logics  have  been  proposed 
as  a  theoretically  sound  alternative. 

However,  for  an  authorization  logic  to  be  useful  in  practice,  it  should  be  able  to  model  most, 
if  not  all,  naturally  occurring  policy  features.  One  common  feature  is  the  time-dependency  of  au¬ 
thorizations.  For  example,  a  user  may  only  be  permitted  to  access  a  given  resource  on  workdays. 
Surprisingly,  of  the  numerous  proposals  for  access  control  logics,  we  know  of  no  logic  that  incorpo¬ 
rates  time  internally. 

In  an  attempt  to  fill  this  void,  this  thesis  develops  a  logic  with  explicit  time  that  permits  rea¬ 
soning  about  complex,  yet  natural,  time-dependent  authorizations.  The  logic  is  then  extended  to 
account  for  authorizations  that  may  be  used  only  once.  A  careful  study  of  the  meta-theory  of  both 
logics  is  conducted,  and  the  logics’  rich  expressive  power  is  demonstrated  through  several  examples. 
Finally,  a  proof  checker  for  the  latter  logic  is  formalized  and  discussed. 


Acknowledgments 


First,  I  would  like  to  express  my  gratitude  to  Frank  Pfenning  for  taking  time  out  of  his  very  busy 
schedule  to  advise  me  this  year,  and  for  helping  me  gain  valuable  experience  in  the  research  process. 
I  would  also  like  to  thank  him  for  suggesting  such  an  interesting  and  accessible  thesis  topic. 

Second,  I  wish  to  thank  Deepak  Garg  for  being  so  exceptionally  generous  with  his  time  and 
advice,  and  for  his  patience  while  introducing  me  to  new  topics  and  reviewing  old  ones. 

Finally,  I  would  like  to  thank  my  family  for  their  love,  support,  and  encouragement  over  not 
only  the  course  of  this  thesis,  but  also  at  every  step  in  my  education. 


V 


Contents 


1  Introduction  1 

1.1  Related  Work .  3 

2  Preliminaries:  Garg-Pfenning  Authorization  Logic  7 

2.1  Logical  System .  7 

2.1.1  First-order  Terms  and  Sorts .  7 

2.1.2  Judgments  .  8 

2.1.3  Propositions  .  9 

2.1.4  Inference  Rules .  9 

2.2  Examples .  13 

2.2.1  Office  Entry .  13 

2.2.2  Chemical  Laboratory  Inspections .  14 

2.3  Meta-theory .  15 

2.4  Conclusion  .  16 

3  rjN  Logic  17 

3.1  Logical  System .  17 

3.1.1  Eirst-order  Terms  and  Sorts .  17 

3.1.2  Constraints .  18 

3.1.3  Judgments  .  18 

3.1.4  Propositions  .  19 

3.1.5  Inference  Rules .  20 

3.2  Examples .  25 

3.2.1  Office  Entry .  25 

3.2.2  Journal  Publication  .  27 

3.3  Meta-theory  and  Correspondence  to  GP  Logic .  28 

3.3.1  Meta-theory .  28 

3.3.2  Correspondence  to  GP  Logic .  29 

3.4  Conclusion  .  31 

4  rjL  Logic  33 

4.1  An  Overview  of  Linear  Logic  .  33 

4.2  Logical  System .  34 

vii 


CONTENTS 


viii 


4.2.1  First-Order  Terms  and  Sorts  .  34 

4.2.2  Constraints .  34 

4.2.3  Judgments  .  35 

4.2.4  Propositions  .  36 

4.2.5  Inference  Rules .  36 

4.3  Examples .  41 

4.3.1  Office  Entry .  41 

4.3.2  Eilling  Painkiller  Prescriptions  .  42 

4.3.3  A  Homework  Assignment  Administration  System .  44 

4.4  Meta-theory .  46 

4.5  Conclusion  .  48 

5  A  Proof  Checker  for  Logic  49 

5.1  Eormal  Proof  Checker .  49 

5.1.1  Sorts,  Punction  Symbols,  and  Predicates .  49 

5.1.2  Terms .  50 

5.1.3  Constraints .  52 

5.1.4  Propositions  and  Types .  52 

5.1.5  Proof  Terms  and  Their  Typing  Judgments .  54 

5.1.6  Inference  Rules .  55 

5.2  Implementing  the  Proof  Checker .  59 

5.2.1  Explicit  Substitutions .  59 

5.2.2  de  Bruijn  Indices .  59 

5.2.3  Linearity  .  60 

5.2.4  Constraints .  60 

5.3  Conclusion  .  61 

6  Conclusion  63 

6.1  Euture  Work  .  63 


List  of  Figures 

2.1  The  inference  rules  for  Garg-Pfenning  logic .  12 

3.1  The  inference  rules  for  logic .  23 

3.2  The  inference  rules  for  r]i\f  logic,  continued .  24 

4.1  The  inference  rules  for  r]L  logic .  39 

4.2  The  inference  rules  for  r]L  logic,  continued .  40 

5.1  The  well-formedness  rules  for  signatures  and  sorts .  50 

5.2  The  well-formedness  rules  for  parameter  contexts  and  terms . 51 

5.3  The  well-formedness  rule  for  constraints  and  constraint  contexts .  52 

5.4  The  well-formedness  rules  for  propositions  and  categorical  judgments . 53 

5.5  The  well-formedness  rules  for  proof  contexts .  55 

5.6  The  bidirectional  typing  rules .  57 

5.7  The  bidirectional  typing  rules,  continued .  58 


Chapter  1 

Introduction 


The  tension  between  protecting  an  object  and  allowing  it  to  be  used  or  displayed  is  a  fundamental 
one,  even  for  objects  that  are  not  digital.  For  example,  how  can  intruders  be  prevented  from  reading 
a  classified  document  while  still  allowing  the  members  of  that  document’s  security  compartment 
to  read  and  edit  it?  Or,  how  can  the  public  be  prevented  from  using  a  departmental  photocopier, 
while  still  allowing  members  of  the  department  to  use  it? 

Because  of  this  fundamental  tension,  organizations  usually  establish  policies  that  delineate  the 
conditions  under  which  an  object  can  be  accessed.  These  policies,  along  with  a  mechanism  for  their 
enforcement,  constitute  an  access  control  system.  But  an  access  control  system  is  valuable  only  if 
it  can  be  trusted  to  be  correct:  the  policies  must  allow  only  what  is  desired  by  the  organization 
and  the  system  must  correctly  enforce  all  of  the  policies. 

As  access  control  systems  become  more  widespread  and  more  complex,  it  is  increasingly  clear 
that  ad  hoc  methods  can  no  longer  guarantee  a  sufficient  level  of  trust  in  the  system’s  correctness:  a 
formal  approach  to  access  control  is  needed.  One  promising  avenue  is  the  use  of  logic  for  specifying 
policies.  Given  an  appropriately  defined  logic,  policies  can  be  encoded  as  concrete  logical  structures, 
rather  than  relying  on  abstract  policy  descriptions. 

But  why  is  logic  a  solid  foundation  for  access  control?  The  specification  of  policies  in  a  logic 
provides  three  important  benefits.  First,  once  written  in  a  formal  logic,  policies  have  precisely 
specified  meanings.  The  ambiguity  inherent  in  a  natural  language  formulation  no  longer  exists. 
Instead,  the  semantics  of  the  logic  define  the  meaning  of  a  policy  exactly. 

Second,  by  expressing  them  in  a  logic,  access  control  policies  can  be  enforced  by  proof-carrying 
authorization  (PCA)  [6,  7].  In  a  PCA-based  access  control  system,  each  resource  is  guarded  by  a 
resource  monitor.  A  user  requesting  access  to  a  resource  must  present  the  corresponding  resource 
monitor  with  a  formal  proof  of  why  she  is  authorized,  under  the  system’s  policies,  to  access  that 
resource.  The  monitor  then  checks  this  proof  for  correctness.  If  the  proof  is  correct,  access  is 
granted;  if  the  proof  is  incorrect,  access  is  denied. 

In  PCA,  then,  the  logical  model  of  access  control  coincides  with  access  control  in  the  real  world: 
access  is  granted  in  practice  if,  and  only  if,  it  is  granted  formally  by  the  logical  forms  of  the  policies. 
In  this  way,  a  PCA-based  implementation  of  an  access  control  system  is  guaranteed  to  correctly 
adhere  to  that  system’s  policies,  whatever  they  may  be. 

Third,  policies  written  in  a  logic  can  be  subjected  to  extensive  meta-analysis.  For  example. 
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non-interference  properties  of  the  logic  can  be  proven  and  used  in  this  analysis,  as  demonstrated  by 
Garg  and  Pfenning  [24] .  Potentially  unintended  consequences  of  the  policies  can  then  be  discovered 
by  automated,  or  semi-automated,  policy  analysis  tools  based  on  these  properties.  This  and  other 
meta- analyses  increase  confidence  in  policies’  correctness. 

To  take  advantage  of  these  benefits,  it  is  crucial  that  the  underlying  authorization  logic  be  able 
to  model  as  many  policy  motifs  as  possible.  In  some  cases,  if  the  logic  cannot  express  a  critical 
feature  of  some  policy,  that  feature  could  be  enforced  by  extra-logical  methods.  But  by  abandoning 
the  use  of  logic  and  reverting  to  ad  hoc  methods,  the  above  benefits  will  no  longer  apply  to  that 
feature.  Specifically,  although  a  PCA  proof  may  be  correct  according  to  the  logic’s  rules,  access 
may  still  be  denied  due  to  the  failure  of  the  extra- logical  checks.  This  destroys  the  correspondence 
between  the  logical  model  of  access  and  access  in  practice.  Even  worse,  meta-analysis  of  the  formal 
policies  cannot  be  used  to  guarantee  their  correctness  with  respect  to  an  informal  specification 
because  the  logic  does  not  model  a  critical  feature. 

For  this  reason,  when  designing  an  authorization  logic,  common  policy  motifs  should  be  con¬ 
sidered  for  inclusion.  One  such  motif  is  time.  It  is  often  desirable  to  limit  the  times  during  which 
a  resource  can  be  accessed  or  to  grant  authorizations  that  expire.  For  example,  students  should 
not  be  able  to  view  the  solutions  to  a  homework  assignment  until  after  the  due  date.  Because  of 
the  ubiquity  of  such  time-dependent  access  control  policies,  one  would  hope  that  an  authorization 
logic  incorporating  time  exists. 

Surprisingly,  of  the  numerous  logics  [2,  4,  24,  23,  30,  6,  14,  29,  22]  and  languages  [10,  18,  39] 
proposed  in  the  access  control  literature,  few  allow  time-dependent  policies.  Those  that  do  handle 
time,  such  as  SecPAL  [10],  do  so  using  extra-logical  mechanisms:  we  know  of  no  authorization  logic 
that  incorporates  time  internally.  This  void  motivates  us  to  develop  an  authorization  logic  with 
time. 

Because  time-dependent  authorizations  typically  use  explicit  times,  such  as  “between  9am  and 
5pm”  or  “during  the  month  of  May  2008,”  the  logic  developed  in  this  thesis  incorporates  explicit 
time  intervals  rather  than  relative  times,  such  as  “at  some  time  in  the  future.”  For  this  reason,  the 
logic  is  dubbed  r]  logic,  where  g  (spelled  “eta”)  stands  for  Explicit  Time  Authorization. 

rj  logic  borrows  ideas  from  constructive  hybrid  logic  [13,  37,  16,  11]  to  model  time  intervals 
as  possible  worlds  in  which  propositions  may  be  true.  Accordingly,  the  @  connective  of  hybrid 
logic  is  used  to  relativize  the  truth  of  a  proposition  to  a  time  interval,  as  in  A  @  /.  rj  logic  also 
adopts  techniques  from  constraint-based  reasoning  [38,  27]  to  manage  an  inclusion  relation  between 
intervals. 

Another  common  policy  motif  is  that  of  consumable  credentials.  One  often  wants  to  allow 
only  a  finite  number  of  accesses.  For  example,  students  might  be  freely  authorized  to  make  250 
photocopies  per  semester  and  must  purchase  the  authorization  to  make  additional  copies.  That  is, 
a  finite  number  of  accesses  are  free  of  charge. 

An  authorization  logic  that  can  express  changes  of  state  would  be  able  to  account  for  such 
policies.  Linear  logic  [26,  17]  is  a  logic  that  can  model  consumable  resources.  For  this  reason,  logics 
of  authorization  that  include  ideas  from  linear  logic  have  been  proposed  [23,  14].  To  incorporate 
linear  policies  in  addition  to  time-dependent  ones,  rj  logic  is  extended  with  techniques  from  linear 
authorization  logics.  Thus,  ij  logic  is  actually  a  family  of  logics  comprised  of  a  non-linear  rj  logic, 
r/jv  logic,  and  a  linear  rj  logic,  rji  logic. 
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In  summary,  this  thesis  makes  two  conceptual  contributions.  First,  an  authorization  logic  that 
directly  incorporates  time  is  developed  and  its  applicability  to  natural  time-dependent  policies  is 
demonstrated.  Second,  the  linear  version  of  i]  logic  shows  that  linearity  can  peacefully  coexist  with 
explicit  time.  This  was  not  initially  obvious  because  both  linearity  and  time  “consume”  objects: 
linearity  by  usage  and  time  by  expiration. 

This  thesis  also  makes  a  small  practical  contribution.  The  natural  deduction  proof  checker 
presented  shows  that  a  full-fledged  PCA  implementation  of  tjl  logic  should  be  easily  constructible, 
at  least  in  a  centralized  system. 

Finally,  it  should  be  noted  that  this  thesis  lies  in  the  same  line  as  earlier  joint  work  with  Garg 
and  Pfenning  [19],  and  describes  the  latest  version  of  rj  logic. 

1.1  Related  Work 

Authorization  Logics  and  Languages.  We  provide  only  a  brief  overview  of  the  vast  literature 
on  logics  and  languages  for  access  control.  For  more  information,  the  reader  is  referred  to  a  survey 
by  Abadi  [1] . 

The  study  of  access  control  logics  was  initiated  by  Abadi,  Burrows,  and  Lampson  [4,  29]  in 
two  landmark  papers.  This  work  was  the  first  to  introduce  the  “says”  connective  for  modeling  the 
policies  of  principals,  a  connective  found  in  nearly  all  authorization  logics  that  followed.  The  work 
also  considered  an  algebra  over  principals  to  model  groups,  delegation,  and  jointly  made  policies,  r] 
logic  does  not  include  such  an  algebra  in  this  thesis,  and  instead  relies  on  universal  quantification 
to  account  for  groups  and  limited  delegation,  as  in  earlier  work  [24]. 

Breaking  from  the  classical  pattern  of  the  work  of  Abadi  et  al. ,  Garg  and  Pfenning  [24]  were  the 
first  to  propose  a  constructive  authorization  logic.  In  addition,  they  proved  several  non-interference 
theorems  for  their  logic.  Garg  et  al.  [23]  continued  this  study  by  adding  linearity  and  knowledge  to 
their  logic,  rj  logic  is  primarily  derived  from  these  constructive  authorization  logics.  The  affirmation 
judgment,  linearity,  judgmental  formulation,  and  constructive  philosophy  are  all  adopted  from  those 
works. 

Subsequently,  Abadi  interpreted  work  on  the  Dependency  Gore  Galculus  [3]  as  a  calculus  of 
access  control,  obtaining  a  logic  with  lax-like  modalities  [2]  similar  to  that  of  Garg  and  Pfen¬ 
ning.  However,  Abadi  significantly  extended  the  earlier  work  by  describing  a  different,  but  related, 
non-interference  theorem,  proof  terms  through  the  Gurry-Howard  isomorphism,  and  second  order 
quantification. 

Notable  policy  languages  for  access  control  include  SecPAL  [10]  and  Binder  [18].  SecPAL  is  the 
only  authorization  logic  or  language  that  we  know  of  to  handle  time.  However,  in  SecPAL,  time 
restrictions  are  enforced  by  an  external  constraint  mechanism  and  not  reasoned  about  within  the 
language.  Binder  extends  the  datalog  logic  programming  language  with  constructs  for  reasoning 
about  authorization. 

Logics  for  Time.  Incorporating  time  into  logics  has  been  the  subject  of  much  study.  The  most 
common  class  is  that  of  temporal  logic  [31]  in  which  times  are  relative  to  each  other.  Most  temporal 
logics  include  the  □,  0,  and  Q  modalities  for  representing  all  future  times,  some  future  time,  and 
the  next  time  (in  a  discrete  system),  relative  to  the  current  time.  But,  having  only  these  relative 
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modalities,  temporal  logics  cannot  refer  to  absolute  times.  Temporal  logics  were  indeed  briefly 
considered  for  the  design  of  a  time-dependent  authorization  logic  in  this  thesis.  However,  because 
access  control  policies  typically  refer  to  absolute,  and  not  relative,  times,  this  approach  was  rejected. 

Closely  related  to  traditional  temporal  logic  is  interval  temporal  logic  [33] ,  which  represents  an 
interval  as  a  discrete  sequence  of  events.  Again,  these  times  are  relative  and  seem  unsuitable  for 
authorization  policies. 

In  a  departure  from  the  temporal  logic  paradigm,  Kanovich  et  al.  [28]  have  modeled  real-time 
systems  using  linear  logic  and  a  distinguished  predicate  Time(t)  to  represent  the  time  t.  While 
this  approach  permits  the  absolute  representation  of  time  that  appears  necessary  for  access  control 
policies,  it  still  seems  too  weak  in  a  different  way.  For  example,  it  is  not  clear  how  to  express  a 
conjunction  of  A  occurring  at  time  tA  and  B  occurring  at  time  ts- 

Closest  in  spirit  to  rj  logic  is  Temporal  Annotated  Constraint  Logic  Programming  (TACLP)  [21]. 
TACLP  contains  a  connective  similar  to  the  @  connective  of  rj  logic,  but  only  allows  it  to  annotate 
atomic  propositions  with  time  intervals.  TACLP  also  differs  from  r]  logic  in  that  the  former  is  not 
an  authorization  logic;  the  fundamental  interaction  between  time  and  authorization  handled  by  rj 
logic  is  nontrivial,  and  is  therefore  a  unique  contribution  of  r/  logic. 

Hybrid  Logic.  To  represent  the  interval  at  which  a  proposition  is  true,  rj  logic  borrows  ideas 
from  hybrid  logic  [11].  Hybrid  logic  extends  modal  logic  by  allowing  the  possible  worlds  to  appear 
within  propositions. 

As  rj  logic  is  constructive,  it  is  most  closely  related  to  the  constructive  hybrid  logics  presented 
by  Brauner  and  de  Paiva  [13]  and  Chadha  et  al.  [16].  Reed  [37]  also  describes  a  constructive  hybrid 
logical  framework  that  inspired  the  hybrid  features  of  rj  logic. 

Constraint-Based  Reasoning.  The  incorporation  of  constraints  into  the  proof  theory  of  rj  logic 
is  heavily  derived  from  earlier  work  by  Saranh  and  Pfenning  [38]  on  a  logic  for  robotic  planning 
and  work  by  Jia  [27]  in  the  context  of  reasoning  about  memory  invariants.  Jia’s  comments  on  the 
tradeoffs  of  including  disjunctive  constraints  informed  the  decision  to  keep  the  constraints  of  rj  logic 
simple. 

Linear  Logic.  In  his  influential  paper  on  the  subject,  Girard  pioneered  linear  logic  [26],  a  logic 
for  modeling  consumable  resources  and  other  kinds  of  mutable  state.  Later,  Chang  et  al.  [17] 
introduced  a  judgmental  reconstruction  of  intuitionistic  linear  logic  by  refining  the  hypothetical 
judgment.  As  rji  logic  is  also  based  on  judgmental  principles,  a  similar  refinement  is  used. 

The  inclusion  of  linearity  in  an  authorization  logic  to  model  finitely-usable  credentials  is  certainly 
not  unique  to  rj^  logic;  it  was  first  adopted  by  Garg  et  al.  [23]  and  independently  discovered  by 
Cederquist  et  al.  [14]. 

Enforcing  the  single-use  nature  of  consumable  certificates  in  an  implementation  of  a  linear  au¬ 
thorization  logic  is  relatively  straightforward  if  the  certificates  are  stored  in  a  central  database. 
Bowers  et  al.  [12]  discuss  the  more  difficult  problem  of  coordinating  accurate  consumption  of  dis¬ 
tributed  certificates,  and  suggest  contract-signing  protocols  as  a  solution. 

Proof- Carrying  Authorization.  Appel  and  Felten  [6]  introduced  proof-carrying  authorization 
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(PCA)  as  a  mechanism  for  enforcing  access  control  policies  via  higher-order  logic.  In  their  inter¬ 
pretation,  security  policies  are  written  in  an  application-specific  logic  and  encoded  in  higher-order 
logic.  Then,  before  access  will  be  granted,  the  user  must  construct  a  correct,  explicit  proof  of  why 
the  security  policies  justify  access.  Thus,  access  in  practice  and  access  in  the  logic  coincide.  To 
take  advantage  of  this  correspondence,  we  intend  that  t]  logic  be  amenable  to  PCA  enforcement. 

Previous  implementations  of  PCA  have  been  used  to  control  access  to  webpages  [7]  and  offices  [9, 
8] .  Recently,  Vaughan  et  al.  [39]  have  designed  a  strongly  typed  language  that  directly  incorporates 
PCA.  It  would  be  interesting  to  explore  how  time  could  be  added  to  this  language  by  using  ideas 
from  r]  logic. 


Organization  of  the  Thesis 

The  remainder  of  the  thesis  is  organized  as  follows.  Chapter  2  reviews  a  non-linear  logic  of  autho¬ 
rization  that  does  not  use  time.  Examples  are  given  to  clarify  the  use  of  the  logic  and  demonstrate 
the  need  for  time-dependent  policies.  In  Chapter  3,  we  develop  T]i\f  logic.  Examples  highlight  the 
increased  expressive  power  of  logic  and  indicate  the  need  for  linear  policies.  Meta-theoretic 
properties  of  the  logic  are  proven,  increasing  our  confidence  in  the  logic’s  soundness.  Chapter  4 
extends  the  previous  logic  by  adding  linearity.  As  the  examples  show,  linearity  increases  the  ex¬ 
pressive  power  even  more.  The  meta-theoretic  properties  are  also  extended  to  account  for  linearity. 
Einally,  Chapter  5  presents  a  natural  deduction  formulation  oi  r]L  logic  and  briefly  describes  the 
corresponding  implementation. 


Chapter  2 


Preliminaries:  Garg-Pfenning 
Authorization  Logic 


r]  logic  draws  very  heavily  from  a  constructive,  proof-theoretic  authorization  logic  developed  by 
Garg  and  Pfenning  [24].  Before  presenting  rj  logic,  it  will  be  useful  to  review  this  logic  (hereafter 
GP  logic).  This  review  will  allow  us  to  introduce  concepts  from  proof-theoretic  authorization  logics, 
including  the  key  concept  of  affirmation,  will  familiarize  the  reader  with  the  expression  of  access 
control  policies  in  an  authorization  logic  through  two  examples,  and  will  afford  us  an  opportunity 
to  present  some  meta-theory. 

2.1  Logical  System 

Proof-theoretic  logics,  as  an  alternative  to  axiomatic  logics,  were  first  introduced  by  Gentzen  [25]. 
These  logics  make  the  meanings  of  propositions  exact  by  precisely  specifying  how  each  form  of 
proposition  may  be  verified.  By  coinciding  a  logic’s  semantics  with  its  syntactic  proofs,  proof 
theory  provides  a  high  degree  of  assurance  in  that  logic’s  correctness. 

Later,  Martin-Lof  introduced  a  distinction  between  judgments  and  propositions  [32].  Under 
this  formulation,  a  judgment  is  an  object  of  knowledge  and  is  made  evident  by  a  formal  proof. 
Propositions,  then,  are  the  subjects  of  judgments. 

GP  logic  adheres  to  both  of  these  fundamental  ideas  in  an  effort  to  keep  the  meanings  of  proofs 
clean  and  direct.  (For  details  on  this  judgmental  approach,  the  reader  is  referred  to  a  discussion 
by  Pfenning  and  Davies  [34].)  We  begin  by  reviewing  the  first-order  terms  and  sorts  of  the  logic. 
Next,  we  introduce  the  truth  and  affirmation  judgments  that  form  the  foundation  of  GP  logic.  This 
introduction  is  carefully  separated  from  the  description  of  the  logic’s  propositions,  to  emphasize 
Martin-Lof’s  distinction.  Finally,  we  present  the  proof  rules  of  GP  logic  as  a  Gentzen-style  sequent 
calculus. 

2.1.1  First-order  Terms  and  Sorts 

To  account  for  atomic  propositions  built  from  predicates  and  for  universal  and  existential  quantifi¬ 
cation,  GP  logic  contains  terms  t  which  are  classified  by  sorts  s.  That  term  t  has  sort  s  is  denoted 
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by  the  judgment  t:s. 

The  particular  sorts  and  terms  available  in  GP  logic  are  left  open-ended,  with  the  exception 
that  a  sort  principal  of  principals  is  specifically  assumed.  Principals  are  the  entities,  typically  users 
or  machines,  that  can  make  statements  of  affirmation.  The  meta-variable  K  is  used  to  stand  for 
an  arbitrary  principal. 

Because  we  will  want  to  be  able  to  reason  parametrically  with  terms,  GP  logic  introduces  a 
context^,  S,  to  track  the  parameters  in  scope  and  their  respective  sorts.  The  syntax  of  a  parameter 
context  is: 

S  ::=  •  I  S,  x:s 

Thus,  a  parameter  context  is  simply  a  map  of  parameter-sort  pairings:  it  may  be  empty,  written 
as  •;  or,  it  may  be  a  parameter  context  S  followed  by  the  ascription  of  a  sort  s  to  a  parameter  x, 
written  as  S,x:s.  To  avoid  ambiguities,  we  assume  that  all  parameters  declared  in  S  are  distinct 
from  X]  this  convention  can  be  maintained  by  implicitly  a-renaming  variables. 

Since  GP  logic  includes  parameters,  the  judgment  t:s  must  be  extended  to  account  for  param¬ 
eters,  in  addition  to  ground  terms.  The  new  judgment  is: 

S  h  t:s 

meaning  that  term  t  has  sort  s  in  parameter  context  S.  In  particular,  T,,x:s  h  x:s  holds.  Also, 
[t/x]  stands  for  the  capture-avoiding  substitution  of  term  t  for  all  occurrences  of  the  free  variable 
X.  In  particular,  [t/x]  A  is  the  proposition  A  with  all  free  occurrences  of  x  replaced  by  t. 

2.1.2  Judgments 

In  GP  logic,  it  is  necessary  to  reason  about  the  truth  of  propositions.  That  is,  statements  of  the 
form  “Proposition  A  is  true”  are  objects  of  knowledge  and  the  subjects  of  proofs.  Following  Martin- 
Lof’s  philosophy,  GP  logic  therefore  includes  the  judgment  form  A  true,  which  presupposes  that  A 
is  a  well-formed  proposition.  For  syntactic  simplicity,  the  modifier  true  will  often  be  dropped,  so 
that  A  will  implicitly  stand  for  the  judgment  A  true. 

However,  the  truth  of  propositions  is  not  a  sufficiently  expressive  notion  upon  which  to  base 
an  authorization  logic.  In  addition  to  reasoning  about  objective  truths,  it  is  necessary  to  reason 
about  principals’  policies  or  intents.  The  approach  taken  by  GP  logic  is  to  add  a  new  judgment 
form  K  affirms  A,  meaning  that  “Principal  K  affirms  that  proposition  A  is  true.”  A  principal, 
then,  issues  a  policy  by  affirming  the  truth  of  that  policy.  The  affirmation  K  affirms  A  should  not 
be  interpreted  narrowly  as  a  direct  statement  of  A  by  K.  Instead,  it  may  follow  indirectly  from 
other  affirmations  made  by  K.  For  example,  in  an  implementation,  K  affirms  A  will  be  established 
either  directly  by  a  digital  certificate  signed  by  K  containing  A  or  indirectly  by  a  logical  derivation 
stemming  from  such  certificates. 

These  judgments  of  truth  and  affirmation  are  the  basic  judgment  forms  of  GP  logic.  However, 
they  are  of  little  use  in  isolation;  in  a  logic,  we  need  to  be  able  to  reason  from  hypotheses.  The 
mechanism  that  GP  logic  uses  is  termed  a  hypothetical  judgment  or  sequent,  an  extension  of  a 
basic  judgment  that  explicitly  lists  the  allowable  assumptions. 

^Although  this  meaning  is  distinct  from  its  usage  in  the  access  control  literature,  we  will  continue  to  use  this 
terminology,  as  it  is  common  in  logic  and  type  theory. 
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Specifically,  GP  logic  uses  two  hypothetical  judgment  forms: 

S;  r  A  true 

S;  r  K  affirms  A 

where  S  is  a  context  of  the  parameters,  ascribed  with  sorts,  that  may  appear  free  in  P,  K,  and  A; 
and  P  is  an  unordered  set  of  hypotheses  of  the  form  A  true.  In  the  following  sections,  we  write  7 

in  place  of  the  basic  judgment  appearing  to  the  right  of  when  its  form  does  not  matter;  7  may 

stand  for  either  A  true  or  K  affirms  A. 

The  first  of  the  above  hypothetical  judgments  may  be  read  “Under  the  hypotheses  of  P,  propo¬ 
sition  A  is  true,  parametrically  in  the  terms  of  S.”  Similarly,  the  second  hypothetical  judgment 
states  “Under  the  hypotheses  of  P,  principal  K  affirms  that  proposition  A  is  true,  parametrically 
in  the  terms  of  S.” 

2.1.3  Propositions 

The  syntax  of  propositions  in  GP  logic  is: 

A,  B  ::=  P  \  A  f\  B  \  T  \  Ay  B  \  A  2)  B  \  yx:s.A  \  3x:s.A  \  {K)A 

GP  logic  contains  nearly  all  of  the  ordinary  connectives  from  first-order  logic:  atomic  propositions, 
P]  conjunction,  AaB]  truth,  T;  implication,  A  D  B]  universal  quantification,  Vx:s.A;  and  existen¬ 
tial  quantification,  3x'.s.A.  But  falsehood,  T,  is  conspicuously  absent.  Falsehood  is  omitted  from 
r/jv  logic  for  practical  reasons  that  will  be  discussed  in  Section  3.1.4,  and,  for  consistency,  it  is  also 
omitted  here.  However,  it  should  be  noted  that  adding  falsehood  does  not  affect  the  logic  itself; 
the  meta-theorems  presented  in  Section  2.3  have  been  verified  with  falsehood  included. 

Despite  the  close  similarity  of  these  propositions  to  those  of  first-order  logic,  there  is  one  form 
of  proposition  that  is  unique  to  authorization  logics:  {K)A,  read  “iP  says  H”.  This  proposition 
internalizes  the  affirmation  judgment  K  affirms  A,  meaning  that  it  is  semantically  equivalent  to 
K  affirms  A,  but  is  a  proposition  rather  than  a  judgment. 

Having  an  affirmation  proposition  allows  affirmations  to  be  combined  with  logical  connectives, 
such  as  implication.  For  example,  we  could  not  combine  the  judgment  K affirms H  with  the  proposi¬ 
tion  B  via  implication  because  this  would  violate  Martin-Lof ’s  distinction  between  judgments  and 
propositions:  only  propositions,  and  not  judgments,  can  be  operated  on  by  the  logical  connectives. 
But  we  can  combine  the  proposition  {K)A  with  the  proposition  B  via  implication  as  {{K)A)  D  B. 

2.1.4  Inference  Rules 

GP  logic  possesses  a  proof-theoretic  semantics,  and  its  proof  rules  are  thus  critically  important. 
They,  and  not  any  other  external  semantics,  establish  the  meaning  of  the  truth  and  affirmation 
judgments.  We  therefore  proceed  to  present  the  proof  rules  of  GP  logic. 

Each  inference  rule  is  written  in  the  form: 

J\  J2  •  •  •  Jn 


J 


label 
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This  notation  means  that  if  the  premise  judgments  Ji,  J2, . . .  ,Jn  are  evident,  then  the  conclusion 
judgment  J  is  also  evident  by  the  rule  named  label.  Note  that  n  may  be  0.  In  this  case,  the  rule 
has  the  form: 

-j-  label 


and  the  conclusion  judgment  J  is  always  evident:  such  rules  are  axioms. 

With  the  notation  explained,  we  can  now  describe  the  inference  rules  of  GP  logic.  We  begin  by 
examining  the  meaning  of  hypotheses  through  the  in  it  rule. 


P 


init 


E:T,P 


We  would  expect  that  an  assumption  A  true  could  be  used  to  immediately  conclude  A  true.  This  is, 
in  fact,  the  case.  However,  for  technical  reasons  relating  to  proof  search,  we  do  not  adopt  this  in  its 
full  generality  as  an  inference  rule,  but  instead  use  the  above  init  rule  which  restricts  the  direct  use 
of  hypotheses  to  atomic  propositions  P.  We  can  recover  the  more  general  form  as  a  meta-theorem 
(Theorem  2.1,  Section  2.3). 

Next,  we  consider  the  rules  for  the  affirmation  judgment  and  its  internalization  as  a  proposition. 


S;  T  K  affirms  A 


affirms 


When  is  an  affirmation  judgment  evident?  That  is,  when  can  we  conclude  that  a  principal  K 
affirms  the  truth  of  proposition  A?  If  A  is  true,  it  is  made  evident  by  a  proof.  When  this  proof 
is  presented  to  K,  K  is  confronted  with  irrefutable  evidence  of  the  truth  of  A.  K  cannot  possibly 
deny  the  truth  of  A,  for  doing  so  would  violate  iP’s  rationality.  Instead,  K  must  affirm  it.  Thus, 
one  way  of  establishing  K  affirms  A  is  to  establish  A  true.  This  is  captured  by  the  above  affirms 
rule. 

In  a  sequent  calculus,  the  meaning  of  each  logical  connective  *  is  defined  by  a  set  of  right  rules 
and  a  set  of  left  rules.  Right  rules  show  how  A-k  B  true  may  be  established,  and  left  rules  show 
how  a  hypothesis  A-k  B  true  may  be  used.  For  the  ()  connective,  there  is  one  right  rule  and  one 
left  rule: 

S;  T  iP  affirms  H  „  S;  T,  (iP)yl,  H  iP  affirms  H 

S;r  ^  {K)A  E-T,{K)A^  K  aW\msB 


The  right  rule,  ()i?,  specifies  that  {K)A  true  may  be  established  by  evidence  that  K affirmsH  holds. 
This  is  consistent  with  our  above  claim  that  the  proposition  {K)A  is  the  internalization  of  the 
judgment  K affirms H.  We  now  know  how  to  verify  {K)A  true,  but  how  does  one  use  the  hypothesis 
{K)A  true? 

The  left  rule,  {)L,  gives  instructions  for  how  the  hypothesis  {K)A  true  may  be  used.  Because 
{K)A  true  represents  the  knowledge  that  K  affirms  A  true,  from  RT’s  perspective,  A  may  as  well  be 
true.  So,  provided  that  we  are  reasoning  about  an  affirmation  made  by  K,  that  is,  provided  that 
we  are  inside  K'’s  mind,  the  hypotheses  {K)A  true  and  A  true  are  equivalent. 

This  rule  also  holds  principals  accountable  for  their  statements.  Having  affirmed  A  true,  prin¬ 
cipal  K  cannot  refute  it,  and  so  {K)A  may  be  used  as  A  true  when  reasoning  about  an  affirmation 
made  by  K. 
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We  now  review  the  inference  rules  for  implication  and  universal  quantification.  A  reader  familiar 
with  the  sequent  calculus  presentation  of  first-order  logic  may  skip  this  discussion;  there  is  nothing 
unique  to  GP  logic  in  the  remaining  rules. 

First,  we  give  the  rules  for  implication. 

T,:T,A^~B  T,:T,AdB^~A  T,:T  ,  A  D  B,  B  j 

Y,T^AdB^^  Y,T,ADB^'y  ^ 

The  implication  A  D  B  may  be  intuitively  thought  of  as  a  plan  for  converting  a  proof  of  A  true  to 
a  proof  of  B  true.  Such  a  conversion  can  be  established  by  assuming  that  a  proof  of  A  true  is  given 
and  constructing  a  proof  of  B  true  from  this  assumption.  This  is  captured  by  the  right  rule,  dR. 
The  conversion  intuition  also  suggests  that  the  hypothesis  A  D  B  true  can  be  used  by  executing 
this  plan.  Given  A  true,  the  plan  A  D  B  true  can  be  carried  out  to  produce  B  true.  This  intuition 
is  formalized  in  the  left  rule,  dL. 

Next,  we  give  the  rules  for  universal  quantification. 

S  h  S; T, Vx:s.A,  [t/x]A  7 

S;r  ^  Vx:s.A  S;r,Vx:s.A^7 

The  right  rule,  Vi?,  states  that  Vx:s.A  true  may  be  verified  by  establishing  A  true  for  all  possible 
terms  of  sort  s.  This  is  done  by  introducing  a  new  parameter  x  of  sort  s  and  establishing  A  true 
parametrically  in  x.  Just  as  the  implication  A  D  B  can  be  thought  of  as  a  plan  for  converting  a 
proof  of  A  true  to  a  proof  of  B  true,  the  right  rule,  Vi?,  suggests  that  Vx:s.A  can  be  thought  of  as  a 
plan  for  creating  a  proof  of  [i/x]A  true  for  any  term  t  of  sort  s.  So,  assuming  such  a  plan  and  given 
a  term  t  of  sort  s,  the  plan  can  be  carried  out  to  produce  [t/x]A  true.  This  intuition  is  captured 
by  the  left  rule,  VL. 

The  remaining  connectives  of  GP  logic  and  their  rules  are  taken  directly  from  first-order  logic, 
as  for  implication  and  universal  quantification.  A  summary  of  all  of  the  inference  rules  in  GP  logic 
is  given  Figure  2.1. 

Before  concluding  this  section,  we  illustrate  some  properties  of  GP  logic.  We  write  A 
if,  for  all  S,  S;  •  A  true  is  derivable,  and  write  7^  A  otherwise.  Also,  A  =  B  abbreviates 
{Ad  B)  A{B  D  A). 

1.  ^  Ad{{K)A) 

2.  ^{{K){K)A)d{{K)A) 

3.  ^  {{K){A  D  B))  D  {{{K)A)  D  {{K)B)) 

4.  7^  {{K)A)  D  A 

5.  7^  A 

Properties  1-3  show  that  (K)  is  similar  to  a  lax  modality  [20].  Property  4  highlights  the  difference 
between  truth  and  affirmation:  truth  is  always  affirmed  (as  shown  in  Property  1),  but  an  affirmation 
by  some  principal  does  not  entail  truth.  Finally,  property  5  establishes  the  consistency  of  GP  logic 
by  demonstrating  that  an  arbitrary  proposition  is  not  true  a  priori. 
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Initial  Rule 


S;r,P  ^  P 


init 


Affirmation  and  {K)A 


E:T 


S;  r  K  affirms  A 


affirms 


S;  r  K  affirms  A 
S;r  ^  {K)A 


{)R 


S;  r,  {K)A,  A^K  affirms  B 
S;r,  {K)A  ^  a:  affirms  R 


{)L 


Other  Connectives 


E-,T  ^  AAB 


AR 


T,-,T ,  A  A  B,  A  7 
T,-,T ,  A  A  B  7 


AL-\ 


T,;T,A  A  B,B  7 
T,-,T ,  A  A  B  7 


AL2 


S;r  ^  T 


TR 


E:T 


VRi 


E:T 


B 


E;T^AVB  ^  E;T  ^  Av  B 

S;r,AvR,A^7  E;T,AvB,B^~j 


VR2 
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Figure  2 A:  The  inference  rules  for  Garg-Pfenning  logic. 
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2.2  Examples 

Now  that  we  have  presented  the  judgments  and  crucial  inference  rules  of  GP  logic,  the  reader 
should  be  sufficiently  prepared  to  consider  a  few  examples  of  policies  written  in  GP  logic.  First, 
we  present  an  example  that  will  recur  throughout  the  remainder  of  this  thesis:  controlling  access 
to  academic  offices.  Although  this  example  is  relatively  small,  it  will  still  demonstrate  the  use  of 
affirmation  in  GP  logic,  and,  in  later  chapters,  highlight  the  increased  expressive  power  of  rj  logic. 
Second,  we  examine  the  application  of  GP  logic  to  chemical  laboratory  inspections. 

In  these  examples,  we  adopt  the  conventions  that  V  and  D  are  right  associative,  and  that  binding 
precedence  decreases  in  the  order:  (),  V,  D,  V. 

2.2.1  Office  Entry 

In  this  example,  we  describe  two  hypothetical  policies  for  the  Grey  system  [9,  8],  an  architecture 
for  controlling  entry  to  academic  offices  that  was  developed  and  is  currently  deployed  at  Garnegie 
Mellon  University.  In  the  Grey  system,  each  office  door  is  equipped  with  a  processor  that  controls 
access  to  the  office  through  PGA.  Following  the  standard  PGA  methodology,  the  office  door  will 
unlock  only  if  the  principal  requesting  access  presents  the  doorfront  processor  with  a  correct  proof 
that,  under  the  security  policies  of  the  system,  she  is  authorized  to  enter. 

For  this  example,  we  postulate  the  existence  of  an  administrating  principal,  admin,  that  controls 
entry  to  the  various  faculty,  staff,  and  student  offices  in  his  administrative  domain.  For  simplicity, 
we  also  assume  that  the  ownership  relation  between  principals  and  offices  is  an  injective  function, 
so  that  each  office  can  be  named  according  to  its  owner. 

Only  one  predicate  is  used  here:  may  .enter.  may_enter(iP2,  A"i)  means  that  principal  K2  is 
allowed  to  enter  iPi’s  office. 

One  reasonable  policy  to  include  in  such  a  system  is  the  authorization  of  every  principal  to 
enter  her  own  office.  Because  admin  controls  each  office,  this  policy  is  expressed  in  GP  logic  as: 

own  :  (admin) (ViP: principal. may_enter( A,  A'))  true 

This  policy  may  be  read  as  “The  administrator  says  that  each  principal  K  may  enter  her  own 
office.”  Although  extremely  simple,  this  policy  exhibits  an  important  point.  Because  the  certificate 
corresponding  to  an  affirmation  must  be  an  independent  object,  it  cannot  contain  free  variables. 
Thus,  any  quantifiers  must  appear  inside  the  top-level  affirmation,  as  seen  in  the  own  policy.  For 
example,  the  following  logically  equivalent  formulation  is  difficult  to  enforce,  as  it  requires  one 
certificate  from  admin  for  each  member  of  the  potentially  expandable  set  of  principals: 

VA:principal.(admin)may_enter(A, K)  true 

Another  reasonable  feature  to  have  in  an  office  access  control  system  is  the  ability  of  each  office 
owner  to  decide  who  may  enter  her  office.  To  accomplish  this,  the  administrator  can  agree  to  trust 
office  owners’  access  control  decisions: 

trust  :  (admin)(VAi:principal.VA2:principal. 

(Ai)may_enter(A2,  Ai)  D 
may_enter(A2,  Ai))  true 
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This  policy  may  be  read  as  “The  administrator  says  that,  for  all  pairs  of  principals  Ki  and  K2,  if 
Ki  says  K2  may  enter  Kis  office,  then  K2  may  indeed  enter  Kis  office.”  The  trust  policy  expresses 
a  kind  of  delegation:  Ki  now  speaks  for  admin  on  matters  of  Kis  office. 

To  clarify  how  the  trust  policy  can  be  used,  consider  a  professor  Alice  and  her  graduate  student 
Bob.  Suppose  that  Alice  is  out  of  the  office  on  May  7,  2008.  Bob  needs  to  retrieve  a  paper  from 
Alice’s  office  that  he  and  Alice  are  collaborating  on.  He  calls  Alice  and  she  agrees  to  issue  the 
following  credential: 

C  :  (Alice)  may_enter(Bob,  Alice)  true 

Bob  then  approaches  Alice’s  door  and  requests  entry  to  her  office  using  his  cell  phone.  Before  the 
door  will  unlock.  Bob  must  submit  a  correct  proof  of 

Sa,b;  own,  trust,  C  (admin) may _enter(Bob,  Alice)  true 

where  Sa,b  assigns  sort  principal  to  all  principals  in  the  system.  That  is.  Bob  must  prove  that 
the  administrator  allows  him  to  enter  Alice’s  office.  Bob’s  phone  constructs  the  required  proof  by 
simply  applying  the  trust  hypothesis  to  the  C  hypothesis  (up  to  an  approximation).  The  doorfront 
processor  checks  this  proof,  and,  since  it  is  correct,  unlocks  the  door. 

Although  this  policy  serves  its  purpose,  it  is  a  rather  coarse  approximation  of  the  behavior 
desired  in  general.  It  is  likely  that  Alice  wants  the  credential  C  to  allow  Bob  access  to  her  office 
only  on  May  7,  2008.  If  he  needs  access  at  a  later  time,  he  should  be  required  to  contact  Alice 
again.  But,  under  GP  logic,  once  Alice  issues  credential  C,  Bob  will  be  able  to  enter  her  office  at 
any  time,  even  months  or  years  after  May  7,  2008! 

As  noted  previously,  time  might  be  handled  in  such  a  system  using  extra- logical  checks.  But 
then,  the  proof  does  not  accurately  reflect  the  true  state  of  the  system:  access  might  be  denied 
even  though  the  proof  is  correct.  This  inaccuracy,  even  for  such  a  simple  example  as  office  entry, 
motivates  the  development  of  rj  logic.  We  will  revisit  this  example  in  Section  3.2.1  and  show  that, 
in  7]  logic,  users  can  restrict  access  to  their  offices  by  time. 


2.2.2  Chemical  Laboratory  Inspections 


We  now  consider  a  more  complicated  example.  Inspection  duties  of  the  United  States  Occupational 
Safety  and  Health  Administration  (OSHA)  include  the  oversight  of  chemical  laboratories.  As  a 
rough  approximation,  the  inspection  process  can  be  thought  of  as  a  verification  that  all  employees 
of  the  laboratory  are  “safe”  in  some  appropriately  defined  way.  OSHA  will  certify  the  laboratory 
only  if  this  safety  can  be  guaranteed. 

To  model  the  inspection  process  in  GP  logic,  we  assume  the  existence  of  a  sort,  lab,  of  chemical 
laboratories  and  the  existence  of  a  distinguished  principal  OSHA.  The  following  predicates  are 
required: 


is_employee(Ar,  L) 
is_manager(Ar,  L) 
is_technician(A,  L) 
is_janitor(Ar,  L) 
is_safe(Ar,  L) 
is_certified(L) 


Principal  K  is  an  employee  of  lab  L. 

Principal  K  is  a  manager  of  lab  L. 

Principal  K  is  a  technician  of  lab  L. 

Principal  K  is  a  janitor  of  lab  L. 

Principal  K  is  safe  in  lab  L. 

Lab  L  is  certified  and  may  continue  operating. 
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It  is  reasonable  to  assume  that  OSHA  classifies  each  employee  of  a  laboratory  according  to  his 
job  description.  We  assume  that  the  three  classes  established  by  OSHA  are:  manager,  technician, 
and  janitor.  This  classification  policy  can  be  expressed  as: 

job  :  (OSHA)(VL:lab.VA:principal. 

is_employee(A',  L)  D 
(is_manager(A',  L)  V 
is_technician(A',  L)  V 
is_janitor(A',  L)))  true 

This  policy  provides  a  method  for  distinguishing  the  job  that  an  employee  holds.  Employees  holding 
different  positions  may  be  “safe”  under  different  conditions.  For  example,  janitors  may  be  exposed 
to  chemicals  but  need  not  operate  lab  equipment,  while  technicians  will  handle  chemicals  and 
operate  equipment.  For  this  reason,  a  janitor  might  be  “safe”  if  he  can  access  safety  procedures  for 
all  chemicals  in  the  lab,  but  he  need  not  (and  perhaps  should  not)  access  equipment  manuals.  On 
the  other  hand,  a  technician  would  need  to  be  able  to  access  both  chemical  safety  procedures  and 
equipment  manuals  to  be  “safe.” 

OSHA’s  certification  policy  can  then  be  expressed  as: 

certify  :  (OSHA) (VL: lab. 

(VA':principal.is_employee(A',  L)  D  is_safe(A,  L))  D 
is_certified(L))  true 

This  can  be  read  as  “OSHA  says  that  a  lab  L  is  certified  if,  for  all  employees  K  of  lab  L,  K  is  safe 
in  lab  L.” 

In  many  policies,  credentials  are  required  to  establish  a  result.  Note  that,  in  the  certify  policy, 
however,  the  requirement  is  a  kind  of  conditional  credential:  the  safety  of  a  principal  K  in  lab  L 
is  only  needed  when  K  is  an  employee  of  L.  Because  this  condition  exists,  it  is  possible,  using  the 
case  analysis  induced  by  the  job  policy,  to  take  the  specific  job  of  K  into  account  when  determining 
A’s  safety. 

2.3  Meta-theory 

One  of  the  key  advantages  of  a  proof-theoretic  logic  is  its  singular  amenability  to  a  rigorous  meta- 
theoretic  analysis.  Meta-theorems  are  stated  as  natural  and  desirable  properties  of  the  logic — 
properties  that  one  would  expect  to  hold.  The  proofs  of  these  properties  serve  as  a  “sanity  check” 
on  the  design  of  the  logic;  if  some  expected  property  fails  to  hold,  perhaps  the  logic’s  design  should 
be  reconsidered. 

As  a  proof-theoretic  logic,  the  meta-theory  of  GP  logic  can  be  explored  in  this  way.  There  are 
two  reasonable  properties  for  GP  logic.  First,  as  alluded  to  in  the  discussion  of  the  init  rule  (cf. 
Section  2.1.4),  for  any  proposition  A,  from  the  assumption  that  A  is  true,  it  should  be  possible  to 
establish  that  A  is  true.  For  atomic  propositions  P,  this  is  captured  explicitly  in  the  init  inference 
rule.  For  arbitrary  propositions  A,  this  is  stated  and  proved  as  the  following  theorem. 

Theorem  2.1  (Identity).  For  any  proposition  A,  S;r,  A  true  A  true. 
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Second,  the  logic  should  possess  the  cut  elimination  property.  One  cut  rule  for  GP  logic  states 
that  a  proof  of  A  true  can  be  used  to  replace  the  hypothesis  A  true  in  a  proof  of  7  to  yield  a  direct 
proof  of  7.  For  this  reason,  a  cut  rule  might  be  intuitively  thought  of  as  a  method  for  creating  and 
using  lemmata:  the  proof  of  A  true  functions  as  the  lemma  and  the  hypothesis  A  true  in  the  proof 
of  7  corresponds  to  the  use  of  the  lemma  in  proving  the  main  theorem. 

Since  GP  logic  also  permits  conclusions  of  the  form  K  affirms  A,  a  cut  rule  for  affirmation  is 
also  needed.  K  affirms  yl  can  replace  the  hypothesis  A  true  in  a  proof  of  K  affirms  B  since,  from  K'’s 
perspective,  truth  and  K's  affirmations  are  equivalent. 

Gut  elimination  means  that  an  explicit  cut  rule  is  not  needed  in  the  logic:  any  uses  of  the  rule 
are  unnecessary.  The  following  theorem  states  the  admissibility  of  cut.  Because  cut  elimination 
follows  from  this  by  a  straightforward  induction,  often  only  the  admissibility  of  cut  is  formally 
stated  and  proven. 

Theorem  2.2  (Admissibility  of  Gut). 

1.  If  S;  P  A  true  and  S;  P,  A  true  7,  then  S;  P  7. 

2.  If  S;  P  K  affirms  A  and  S;  P,  A  true  K  affirms  B,  then  S;  P  K  affirms  B. 

The  proofs  and  associated  lemmata  for  the  above  meta-theorems  are  given  in  [24]. 

2.4  Conclusion 

In  hopes  of  adequately  preparing  the  reader  for  the  following  discussion  of  7  logic,  this  chapter 
has  reviewed  a  proof-theoretic  authorization  logic  developed  by  Garg  and  Pfenning  [24] .  We  have 
also  seen  the  application  of  GP  logic  to  two  disparate  systems:  office  access  control  and  chemical 
laboratory  inspections.  Finally,  we  have  presented  the  meta-theory  of  GP  logic  and  explained  its 
importance  as  an  expression  of  the  logic’s  soundness.  We  now  proceed  to  develop  logic,  which 
is  heavily  based  on  principles  from  GP  logic  reviewed  in  this  chapter. 


Chapter  3 

r/TV  Logic 


As  reviewed  in  the  preceding  chapter,  an  authorization  logic  can  form  a  theoretically  sound  basis 
for  access  control  systems.  However,  as  demonstrated  in  the  office  entry  example,  it  is  necessary 
that  the  logic  express  time-dependent  policies  in  order  to  facilitate  more  accurate  models  of  access 
control  in  practice. 

In  this  chapter,  we  develop  an  authorization  logic  with  explicit  time,  777V  logic,  by  modifying 
GP  logic.  After  giving  a  formal  description  of  777V  logic,  we  present  two  applications  of  the  logic 
to  systems  with  time-dependent  policies.  Finally,  we  carry  out  a  careful  study  of  the  logic’s  meta¬ 
theory  and  establish  a  formal  correspondence  with  GP  logic. 


3.1  Logical  System 

r77v  logic  synthesizes  ideas  from  several  diverse  logics.  The  concept  of  affirmation  is  borrowed  from 
GP  logic,  the  notion  of  truth  relativized  to  an  interval  is  inspired  by  the  use  of  worlds  in  hybrid 
logic,  and  the  combination  of  constraints  and  proof  theory  is  adapted  from  constraint-based  logics. 

The  presentation  of  the  logic  is  therefore  broken  into  several  sections.  We  begin  by  discussing 
first-order  terms  and  sorts,  followed  by  a  description  of  the  system  of  constraints.  Next,  we  introduce 
the  judgments  and  propositions  of  the  logic.  Finally,  we  construct  a  proof-theoretic  semantics  for 
the  logic  by  giving  the  inference  rules. 

3.1.1  First-order  Terms  and  Sorts 

The  basic  system  for  first-order  terms  and  sorts  remains  as  it  is  in  GP  logic.  S  is  still  a  context 
listing  the  parameters  in  scope  and  their  respective  sorts.  We  continue  to  write  S  h  for  the 
judgment  that  term  t  has  sort  s  and  [t/x]A  for  the  substitution  of  term  t  for  the  free  variable  x  in 
proposition  A. 

The  sort  principal  of  principals  is  carried  over  from  GP  logic.  777V  logic  includes  two  additional 
sorts:  the  sort  time  of  times  and  the  sort  interval  of  time  intervals.  Application-specific  sorts  can 
be  added  as  needed. 

Times  are  the  components  that  comprise  the  time  intervals  about  which  777V  logic  reasons. 
Because  the  logic  does  not  depend  on  it,  a  concrete  structure  for  times  is  not  given,  but  instead  left 
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to  be  specified  by  individual  applications.  However,  one  may  intuitively  think  of  times  as  points 
on  the  real  line.  Times  are  usually  represented  by  t;  it  should  be  clear  from  the  context  whether  a 
given  occurrence  of  t  indicates  an  arbitrary  term  or  a  time. 

Intervals,  represented  with  the  meta- variable  I,  are  sets  of  time  about  which  reasoning  occurs. 
Despite  the  use  of  the  terminology  “interval,”  these  sets  of  time  need  not  be  intervals  in  the 
mathematical  sense;  that  is,  they  need  not  have  the  form  [ti,t2]  =  {x  \  ti  <  x  <  t2}  or  the  related 
open  interval  forms.  r]]sf  logic  is  flexible  enough  to  permit  the  use  of  arbitrary  sets  of  time.  However, 
we  overlook  the  slight  abuse  of  terminology  since  sets  that  are  strictly  intervals  appear  naturally 
in  many  applications. 

3.1.2  Constraints 

As  will  be  seen  in  Section  3.1.5,  the  rules  of  logic  will  require  an  inclusion  relation  for  inter¬ 
vals.  Because  interval  parameters  are  permitted  in  the  logic,  it  is  not  sufficient  to  simply  adopt 
a  mathematical  definition  of  interval  inclusion.  Instead,  a  constraint  domain  is  incorporated  in 
the  logic.  The  superset  constraint  form  I  D  I'  is  required,  but  the  remainder  of  this  domain  is 
left  open-ended:  other  constraint  forms  may  be  freely  added  for  application-specific  purposes.  The 
meta-variable  C  denotes  an  arbitrary  constraint  form. 

Because  it  will  be  necessary  to  assume  that  certain  constraints  hold  during  reasoning,  a  con¬ 
straint  context  is  introduced,  with  the  following  syntax: 

•  I  T,C 

Thus,  each  constraint  context  'k  is  a  (possibly  empty)  set  of  constraints.  Reordering  of  the  members 
of  'k  is  freely  permitted.  We  will  use  the  constraint  entailment  judgment 

to  mean  “Under  the  constraints  of  'k,  constraint  C  holds,  parametrically  in  the  members  of  S.” 
Note  that  the  context  S  is  required  because  'k  and  C  may  contain  parameters  from  S. 

Because  the  structure  of  intervals  is  left  abstract,  even  the  particular  decision  procedure  used 
to  solve  superset  constraints  remains  relatively  unspecified:  any  system  satisfying  the  following 
six  basic  properties  can  be  used  as  the  constraint  domain.  These  properties  are  required  for  the 
meta-theory  that  will  be  presented  in  Section  3.3. 

(Hypothesis)  S;  'k,  C  ^  C. 

(Weakening)  If  S;  T  (=  C,  then  S,  S';  T,  T'  ^  U. 

(Cut)  If  S;  T  1=  C  and  S;  T,  C  ^  C",  then  S;  T  |=  C . 

(Substitution)  If  S  h  t:s  and  S,^:^;^  \=  C,  then  S;  [t/x]'!/  \=  [t/x]C. 

(Reflexivity)  S;  'k  \=  I  T  /. 

(Transitivity)  If  S;  'k  ^  /  U  /'  and  S;  'k  ^  T  then  S;  'k  ^  /  D 

3.1.3  Judgments 

Our  goal  in  designing  r]]\f  logic  is  to  allow  reasoning  about  explicit  time  within  an  authorization 
logic.  Instead  of  reasoning  about  the  truth  of  propositions,  as  was  done  in  GP  logic,  it  is  necessary 
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to  reason  about  the  truth  of  propositions  during  explicit  time  intervals.  Therefore,  the  objects  of 
knowledge  in  777V  logic  are  not  statements  of  the  form  “Proposition  A  is  true,”  but  rather  “Proposi¬ 
tion  A  is  true  during  interval  I.”  According  to  Martin-Lof’s  philosophy,  the  logic  should  therefore 
include  a  judgment  form  that  relativizes  truth  to  a  time  interval.  We  choose  to  write  A[I]  for  the 
judgment  meaning  “Proposition  A  is  true  during  interval  I.” 

In  addition  to  its  truth  judgment  form,  A  true,  GP  logic  includes  an  affirmation  judgment  form, 
K  affirms  A,  to  model  principals’  intents  and  policies.  It  is  therefore  natural  to  include  affirmation 
in  T]i\f  logic,  since  it  is  still  necessary  to  model  policies.  But  how  should  affirmation  interact  with 
explicit  time  intervals? 

By  adopting  the  reasonable  notion  that  everything  can  be  relativized  to  a  time  interval,  it  can 
be  concluded  that  each  affirmation  made  by  a  principal  occurs  on  some  time  interval.  Moreover,  a 
principal  cannot  affirm  a  proposition,  but  must  instead  affirm  a  judgment.  Combining  these  two 
ideas  naturally  leads  to  statements  of  the  form  “During  interval  I,  principal  K  affirms  the  truth 
of  proposition  A  on  interval  T”  as  objects  of  knowledge.  Using  the  @  connective  described  in  the 
next  two  sections,  the  previous  statement  will  be  equivalent  to  “During  interval  I,  principal  K 
affirms  the  truth  of  proposition  A  @  on  interval  As  a  result,  it  is  sufficient  to  consider  only 
statements  of  the  latter  form:  if  the  interval  of  truth  is  different  than  the  interval  of  affirmation,  it 
can  be  embedded  in  the  proposition. 

We  therefore  arrive  at  the  judgment  form  (AT  affirms  A)  at  I  meaning  that  “During  interval  I, 
principal  K  affirms  the  truth  of  proposition  A  on  Since,  as  mentioned  previously,  principals 
do  not  affirm  propositions,  but  instead  affirm  judgments,  it  would  be  more  precise  to  write  the 
affirmation  judgment  form  as  {K  affirms  A[/])  at  I.  But  because  the  two  intervals  are  the  same,  we 
can  elide  the  first  interval. 

Because  reasoning  from  assumptions  is  needed,  r]N  logic  extends  the  basic  judgment  forms  A[I] 
and  {K  affirms  A)  at  I  to  permit  hypotheses.  The  hypothetical  judgment  forms  are: 

S;d/;r^  A[/] 

S;  'k;  T  {K  affirms  A)  at  I 

where  S  is  a  context  ascribing  sorts  to  the  parameters  that  may  appear  in  'k,  T,  K,  A,  and  /;  'k 
is  a  constraint  context  containing  the  constraints  assumed  to  hold;  and  T  is  a  set  of  hypotheses  of 
the  form  A[I].  In  the  following  sections,  we  will  write  7  in  place  of  the  basic  judgment  to  the  right 
of  when  its  form  does  not  matter. 

The  first  hypothetical  judgment  form  means  “Assuming  that  the  constraints  in  'k  hold  and 
under  the  assumptions  in  T,  proposition  A  is  true  during  interval  /,  parametrically  in  the  members 
of  S.”  Similarly,  the  second  hypothetical  judgment  form  means  “Assuming  that  the  constraints  in 
'k  hold  and  under  the  assumptions  in  T,  during  interval  /,  principal  K  affirms  that  proposition  A 
is  true  on  I,  parametrically  in  the  members  of  S.” 

3.1.4  Propositions 

The  propositions  in  777V  logic  are  given  by  the  following  grammar: 
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These  propositions  include  those  of  GP  logic.  Just  as  {K)A  internalizes  the  judgment  K  affirms^ 
in  GP  logic,  {K)A  internalizes  the  judgment  {K  affirms  yl)  at  I  in  r/jv  logic.  Although  the  formal 
meanings  of  the  connectives  must  shift  with  the  change  from  time-independent  basic  judgments  to 
time-dependent  ones,  the  connectives  still  retain  their  intuitive  meanings.  For  example,  A  AB  still 
behaves  like  a  pair  of  A  and  B.  This  is  made  precise  by  the  formal  correspondence  between  GP 
logic  and  a  fragment  of  rj^  logic  established  in  Section  3.3.2. 

There  are  three  new  proposition  forms  in  logic:  A@I,  Ct)A,  and  CaA.  The  proposition  A@I 
internalizes  the  new  judgment  A[I],  allowing  us  to  legitimately  combine  it  with  the  other  logical 
connectives.  For  example,  although  (A[/])  D  B  would  violate  the  distinction  between  judgments 
and  propositions,  {A@  I)  D  B  is  a  well-formed  proposition. 

CdA  and  C AA  are  constraint  implication  and  constraint  conjuction  propositions,  respectively, 
adapted  from  Saranh  and  Pfenning’s  Gonstrained  Intuitionistic  Linear  Logic  [38] .  They  permit  the 
constraint  domain  to  interact  with  the  rest  of  the  logic. 

It  should  be  noted  that  falsehood,  _L,  is  not  included  in  the  logic,  stemming  from  the  need 
to  avoid  security  risks.  If  falsehood  was  included  and,  by  some  accident  of  policy  management,  a 
contradiction  existed  for  any  interval  /,  even  an  arbitrarily  small  one,  then  the  judgment  _L[/]  would 
be  derivable.  From  this  judgment,  any  user  would  be  able  to  give  a  valid  proof  of  any  judgment, 
including  those  allowing  him  to  access  protected  resources  even  at  times  outside  of  We  therefore 
exclude  falsehood  from  the  logic  to  prevent  this  scenario  from  ever  arising. 

One  consequence  of  the  absence  of  falsehood  is  that  policies  to  explicitly  deny  a  group  of  users 
access  cannot  be  written;  only  policies  that  explicitly  allow  a  group  of  users  access  can  be  written. 
Stated  differently,  only  whitelists,  and  not  blacklists,  can  be  created. 

3.1.5  Inference  Rnles 

Following  the  presentation  of  GP  logic,  we  now  state  a  few  key  proof  rules  and  attempt  to  provide 
some  intuition  for  them.  We  postpone  the  inference  rules  for  the  well-formedness  of  propositions, 
judgments,  and  contexts  to  Section  5.1  to  avoid  obscuring  the  key  proof  rules. 

We  begin  by  presenting  the  in  it  rule  that  defines  the  nature  of  hypotheses: 

S;!'  ^  I  D  /' 

S;^;F,P[/]  ^  P[r] 

We  would  expect  that,  from  the  assumption  that  proposition  A  is  true  on  interval  /,  it  should  be 
possible  to  prove  that  A  is  true  on  /.  More  generally,  since  truth  on  an  interval  refers  to  truth  over 
the  whole  of  that  interval,  it  should  be  possible  to  prove  that  A  is  true  on  any  subinterval  I'  of  I 
from  this  assumption.  The  in  it  rule  captures  this  intuition,  though,  as  in  GP  logic,  it  is  restricted 
to  atomic  propositions  P  for  technical  reasons  relating  to  proof  search.  The  init  rule  in  its  full 
generality  is  proven  admissible  in  Theorem  3.2  (cf.  Section  3.3.1). 

Next,  consider  the  new  connective:  @. 

S;vL;F^A[/]  S;  d/; F,  A  @ /[T] ,  A[/]  ^  7 

S;^;F  ^  A@I[T]  S;^;F,A@/[/']  ^  7 


^The  admissibility  of  cut  requires  that  a  _L[7]  hypothesis  prove  judgments  at  arbitrary  intervals,  not  just  at  I. 
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The  right  rule,  @R,  shows  that  establishing  A[I]  is  sufficient  evidence  for  A @ for  any  interval 
The  left  rule,  @L,  allows  the  hypothesis  A  @  I[T]  to  be  used  as  A[I]. 

Taken  together,  these  rules  imply  an  equivalence  between  A[I]  and  A@I[T]  for  any  I' ,  and  also 
show  that  A@  I  internalizes  the  hybrid  judgment  A[I].  For  example,  establishing  that  “In  2008,  it 
is  true  that  ‘During  1815-1821,  Napoleon  Bonaparte  is  in  exile’”  is  equivalent  to  establishing  that 
“During  1815-1821,  Napoleon  Bonaparte  is  in  exile.”  In  other  words,  whether  it  is  true  now  that 
Napoleon  was  in  exile  depends  only  on  whether  it  was  true  then  that  Napoleon  was  in  exile. 

Next,  we  examine  the  constraint  connectives.  First,  the  rules  for  constraint  implication: 

Y,1>,C-,T^A[I]  D  A[I],A[I]  ^  j 

S;^;F^Ci)yl[/]  S;^;F,Ci)A[/]  ^7 

C  t)  A  represents  the  proposition  A  with  the  constraint  precondition  C.  Thus,  as  formalized  in  the 
i)i?  rule,  verifying  C  i)  A[I]  involves  verifying  that  A  is  true  during  interval  I  under  the  assumption 
that  constraint  C  holds.  The  i)L  rule  states  that  to  establish  A[I]  from  C  i)  A[I],  one  must  simply 
establish  the  constraint  precondition  C. 

The  other  constraint  connective  is  constraint  conjunction. 

S;^;F^^[/]  ,C;T  ,C  K  A[I],  A[I]  ^ -f 

S;^;F  ^  CA  A[/]  S;^;F,CA^[I]  ^7 

The  /\R  rule  requires  that  the  constraint  C  hold  and  that  A  be  true  during  interval  I,  reminiscent 
of  the  right  rule  for  ordinary  conjunction.  The  kL  rule  allows  the  hypothesis  C  k  A[I]  to  be  used 
by  projecting  out  the  two  component  hypotheses:  C  and  A[I]. 

Next,  we  consider  the  rules  for  the  affirmation  judgment  {K  affirms  A)  at  /  and  its  internalization 
as  {K)A. 

^  A[I]  .  S;4';F  ^  (//affirms y4)  at/ 

S;^;F  ^  (//affirms /I)  at  /  S;^;F  ^  {K)A[I] 

S;^';F,(//)yl[/],yl[/]  ^  (//affirms  5)  at/'  S;  ^  /  D /' 

S;  F,  {K)A[I]  {K  affirms  B)  at  /' 

The  affirms  rule  indicates  that,  during  interval  /,  every  principal  K  is  prepared  to  affirm  the  truth 
of  A  on  /  if  confronted  with  incontrovertible  evidence  of  it:  K  cannot  possibly  ignore  the  evidence 
and  must  therefore  affirm  A[I]. 

The  right  rule,  ()/?,  shows  that  {K)A  internalizes  the  affirmation  judgment  (//  affirms  A)  at  I. 
That  is,  by  establishing  (//  affirms  yl)  at/,  one  may  conclude  that  the  proposition  {K)A  is  true  on 
interval  I. 

The  left  rule,  ()L,  shows  how  to  use  an  affirmation  made  by  K  during  interval  I.  As  in  GP  logic, 
the  distinction  between  AT’s  affirmations  and  truth  disappears  when  trying  to  prove  an  affirmation 
made  by  K.  However,  with  time-dependent  affirmations,  the  disappearance  of  this  distinction  is 
only  valid  for  affirmations  made  by  K  during  a  superinterval  I  of  the  interval  /'  for  the  affirmation 
made  by  K  that  is  being  established.  Without  the  interval  constraint,  this  rule  would  be  incorrect. 
If  I  is  not  a  superinterval  of  /',  one  cannot  be  assured  that  K  still  affirms  A  during  all  of  interval 
/'. 
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Next,  we  examine  implication.  Implication  interacts  very  strongly  with  time,  as  evidenced  by 
the  combination  of  parameters,  constraints,  and  hybrid  worlds  in  its  right  and  left  rules: 


S,  i:interval;  \h,  /  D  i;  F,  A[i]  B[i] 
^  A  D  B[I] 


E;^-,T,Ad  B[I]^  A[r]  A  D  B[I],  B[r]  ^ ^ 

E-,1>-,T,AdB[I]^j 

The  judgment  A  D  B[I]  may  be  intuitively  thought  of  as  a  plan  for  converting  A  to  B  that 
is  available  during  any  subinterval  of  I.  Such  a  conversion  can  be  established  by  deriving  B[i] 
under  the  assumption  A[i\,  parametrically  in  the  arbitrary  subinterval  i  of  I.  The  parameter  and 
corresponding  constraint  ensure  that  the  conversion  is  valid  at  every  time  in  I.  This  intuition  is 
formalized  in  the  right  rule,  Dii. 

The  conversion  intuition  also  appears  in  the  left  rule,  dL.  The  plan  A  D  B[I]  for  converting  A 
to  B  can  be  carried  out  to  produce  B[I']  from  provided  I'  is  a  subinterval  of  I.  The  rule  is 

incorrect  without  the  subinterval  proviso  because  the  plan  would  not  be  available  at  an  arbitrary 

r. 

The  remaining  connectives  interact  with  time  in  straightforward  ways.  One  such  connective  is 
conjunction: 

^  AAB[I] 


E-,^;r,AAB[I],A[I]^j 
E-,^-,T,AAB[I]^^  ' 


E-,^;r,AAB[I],B[I]^^ 
S;'h;r,AAS[/]  ^7 


To  show  that  A  A  B  is  true  on  interval  /,  it  is  sufficient  to  show  both  that  A  is  true  on  I  and  that 
B  is  true  on  I;  this  is  captured  by  the  AR  rule.  The  left  rules,  ALi  and  AL2,  show  that  both  A 
and  B  are  true  on  /  if  ^  A  i?  is  true  on  I.  These  right  and  left  rules  do  not  manipulate  the  interval 
annotations;  they  are  the  same  as  the  rules  in  first-order  logic  for  conjunction,  but  are  tagged  with 
intervals. 

Note  that  these  rules  and  the  rules  for  D  imply  the  usual  equivalence  of  curried  and  uncurried 
implications:  A  D  {B  D  C)[I]  and  {A  A  B)  D  C[I]  entail  each  other. 

The  remaining  proof  rules  follow  the  pattern  of  the  rules  for  conjunction,  and  are  given  in 
Figure  3.1. 

Before  concluding  this  section,  we  state  some  properties  of  r/Ar  logic.  We  write  A  if,  for  all 
S,  'F,  and  I" ,  S;  d';  •  ^[I"]  is  derivable,  and  write  7^  A  otherwise.  Also,  A  =  B  abbreviates 

{Ad  B)  A{B  D  A). 

First,  as  in  GP  logic,  {K)  is  similar  to  a  lax  modality  [20]  and  {K)A  does  not  imply  A  in  general: 

1.  ^  Ad{{K)A) 

2.  ^{{K){K)A)d{{K)A) 

3.  ^  {{K){A  D  B))  D  {{{K)A)  D  {{K)B)) 
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Initial  Rule 

A@/ 

Constraints 

S;  ^  /  D  /' 


77  init 


- @B 

S;^;r  ^A@I[r] 


E;1^;T,A@I[I'],A[I]^j 


@L 


E-,^,C-,T^A[I]  . 

S;^;r  ^  C'i)yl[/] 

E;'I>;r  ^  C  A  A[I] 


ar 


E;^L;T,CdA[I]^j 
E-,1>,C-,T,CaA[I],A[I]^j 


i)L 


E;^;T,CaA[I]^^ 


AL 


Affirmation  and  {K)A 


S;d/;r^  A[/] 


S;  'I';  r  {K  affirms  A)  at  I 


affirms 


S; r  {K  affirms  A)  at  I 
E-^-T^{K)A[I] 


{)R 


E;'I/;T,{K)A[I],A[I]  (AT  affirms  5)  at/'  E;'!/  \=  I  D  I' 
S;  d';  r,  {K)A[I]  {K  affirms  B)  at  /' 


{)L 


Other  Connectives 


S;^r;r^A[/]  S;^';r^B[/] 


S;^;r  ^  A  A-B[/] 


AR 


S;d/;r,AA/3[/],A[/]  ^7 
S;d/;r,AA/?[/]  ^7 


AAi 


S;d/;r 


T[/] 


S;d/;r,AA/3[/],/?[/]  ^7 

S;d/;r,AA/?[/]  ^7 

T/i 


AL2 


S;'h;r 


A[/] 


yRi 


S;'h;r 


B[I] 


S;4';r  ^  A  VB[/]  "  S;  dr;  T  ^  A  V  5[/] 

S;d/;r,AV/?[/],A[/]  ^7  S;  d/;  T,  A  V  i3[/],  i3[/]  ^  7 
S;d/;r,AVS[/]  ^7 


Vi?2 


VL 


Figure  3A:  The  inference  rules  for  ^jv  logic. 
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Other  Connectives,  cont. 


S,  i:interval;  'h,  /  D  i;  F,  A[i]  B[i] 


S;4/;r 


A  D  BlI] 

E;^;r,AD  B[I]  ^  A[Tj  E;^j=IDT  S;  ^;r,  A  D  B[Ij,  B[Tj 


7 


DL 


E;^;r,ADBlI]^j 


Vi? 


S,x:s;^;r  ^  A[I] 

S;^;r  ^  Vx:s.7l[i] 

ELt:s  ^[t/x]A[I] 

S;^;r  ^  3x:s.yl[i] 


3R 


Eht:s  E-,'If,T,yx:s.A[I],[t/x]A[I]  ^7 
S;^;r,Vx:s.A[i]  ^7 

S,  x:s;  4^;  r,  3x:s.A[i],  yl[i]  ^ 


S;^;r,3x:s.^[i]  ^7 


VL 


3L 


Figure  3.2:  The  inference  rules  for  77V  logic,  continued. 

4.  ^  {{K)A)  D  A 

Next,  we  state  a  few  properties  of  the  @  connective: 

5.  ^{A@I)D  {A@I') 

6.  ^(12  I')  i)  {{A  @I)d{A@  I')) 

7.  ^  {A@I)  =  {A@I@  T) 

8.  ^  {{A  AB)@I)  =  {{A  @I)A{B@  /)) 

9.  ^  {{A  VB)@I)  =  {{A  @I)V{B@  /)) 

10.  ^  {{A  D  B)@I)d  {{A  @I)d{B@  I)) 

11.  ^  {{A  @I)d{B@  /))  D  {{A  D  B)@I) 

12.  ^  {{{K)A)  @I)D  {{K){A  @  /)) 

13.  ^  {{K){A  @  /))  D  {{{K)A)  @  I) 

Property  5  shows  that  truth  on  one  interval  does  not  entail  truth  on  another  interval,  in  general; 
the  intervals  may  be  unrelated.  When  the  intervals  are  related  by  inclusion,  the  entailment  does 
hold,  as  in  property  6.  Property  7  indicates  that  only  the  innermost  @  I  matters.  This  relates  to 
the  previously  mentioned  equivalence  between  A[I]  and  A  @  Properties  8  and  9  show  that 

@  naturally  distributes  over  A  and  V,  intuitive  and  desirable  properties.  Properties  10  and  11 
demonstrate  that  @  distributes  over  D  only  in  one  direction.  Properties  12  and  13  state  that  @ 
does  not  commute  with  {K). 

Finally,  r/Ar  logic  is  consistent: 


14.  ^A 
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3.2  Examples 

With  r/jv  logic  formalized,  we  can  now  illustrate  its  application  to  time-dependent  access  control 
policies  by  considering  two  examples.  First,  we  revisit  the  office  entry  example  and  refine  its  policies 
to  incorporate  time.  Second,  we  examine  a  journal  publication  system. 

In  these  examples,  we  adopt  the  conventions  that  D  and  i)  are  right  associative,  and  that 
binding  precedence  decreases  in  the  order:  ();  D  and  i);  V. 

3.2.1  Office  Entry 

Recall,  from  Section  2.2.1,  the  office  entry  example  that  was  based  on  the  Grey  system.  This 
example  assumed  an  administrating  principal,  admin,  that  controlled  entry  to  the  offices,  named 
each  office  according  to  its  owner,  and  used  the  predicate  may_enter,  where  may_enter(Rr2,  it'i) 
meant  that  K2  may  enter  Ki^s  office.  The  two  policies  proposed  for  a  PCA  architecture  based  on 
GP  logic  were: 


own  :  (admin) (ViP: principal. may_enter(iP,  ii'))  true 
trust  :  (admin)(ViPi:principal.ViP2:pi'i'^cipal. 

(Ai)may_enter(iP2,  R'l)  A 
may_enter(Rr2,  iPi))  true 

The  first  of  these  policies  allowed  every  office  owner  to  enter  her  own  office.  The  second  policy 
allowed  an  office  owner  to  make  decisions  about  who  may  enter  her  office,  decisions  which  the 
administrator  trusted. 

The  above  GP  logic  policies  were  sufficient  for  controlling  who  could  enter  an  office,  but  not  for 
controlling  when  that  person  could  enter.  This  deficiency  resulted  from  the  inability  of  GP  logic  to 
reason  with  time  internally.  Now  that  we  have  developed  logic  as  an  authorization  logic  with 
time,  it  is  natural  to  check  that  the  new  logic  is  expressive  enough  to  handle  time-based  office  entry 
policies. 

First,  consider  creating  a  tjn  logic  analogue  of  the  own  policy.  Because  r/N  logic  includes  all 
connectives  from  GP  logic  and  because  these  connectives  retain  their  intuitive  meanings,  a  natural 
attempt  uses  the  same  proposition  as  own: 

(admin)  (VK :  pri  nci  pa  I .  may_enter(iP,  AT) )  [?] 

At  this  moment,  the  judgment  is  incomplete:  the  time  interval  over  which  the  proposition  is  true 
has  not  yet  been  specified  (indicated  by  ‘?’). 

What  interval  should  be  used?  It  must  be  the  same  as  the  interval  over  which  the  policy  will 
be  valid.  If  the  administrator  wants  to  allow  each  office  owner  to  enter  her  own  office  only  during 
interval  I,  then  the  interval  for  this  policy  should  be  I.  In  the  setting  of  academic  offices,  it  would 
seem  unusual  for  an  office  owner  to  be  prevented  from  entering  her  office  at  any  time.  So,  in  this 
specific  instance,  the  interval  is  (—00,00).  The  r/j^  logic  analogue  of  own  is  then: 


own'  :  (admin)(VAr:principal.may_enter(Ar,  A))[(— 00, 00)] 
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This  policy  means  that  “At  all  times,  the  administrator  says  that  each  principal  K  may  enter  her 
own  office  at  any  time.” 

Note  that  the  administrator  need  not  commit  to  a  policy  for  an  extended  period  of  time.  For 
example,  suppose  that  the  administrator  only  wants  to  commit  to  allowing  an  office  owner  to  enter 
her  own  office  during  2008.  The  administrator  would  issue  the  policy  with  2008  as  its  validity 
interval.  If  the  administrator  later  chooses  to  extend  the  policy  through  2009,  he  can  reissue  the 
same  policy  with  the  new  interval  2009.  If,  instead,  the  administrator  chooses  not  to  renew  the 
policy,  he  simply  does  nothing:  the  2008  version  will  no  longer  be  valid  in  2009. 

Next,  consider  creating  an  analogue  of  the  trust  policy.  Again,  we  use  the  same  proposition  as 
in  trust.  For  concreteness,  we  choose  (—00,00)  as  the  validity  interval,  but  it  should  be  noted  that 
any  desired  interval  could  be  used.  The  policy  is  then: 

trust'  :  (admin)(VAi:principal.VAr2:principal. 

(Ari)may_enter(Ar2,  Ai)  D 

may_enter(A2,  Ai))[(— 00, 00)] 

This  policy  means  that  “At  all  times,  the  administrator  says  that,  for  all  pairs  of  principals  Ki  and 
K2,  if  Ki  says  K2  may  enter  Ai’s  office  at  some  time,  then  K2  may  indeed  enter  Ai’s  office  at  that 
time.” 

With  this  policy,  we  can  now  reconsider  the  situation  of  the  professor  Alice  and  her  graduate 
student  Bob.  Recall  that  Alice  is  out  of  the  office  on  May  7,  2008  and  that  Bob  needs  to  retrieve 
a  paper  from  Alice’s  office.  Alice  agrees  to  authorize  Bob  to  enter  her  office,  but  only  for  that  day. 
So,  she  issues  the  following  credential: 

C'  :  (Alice)may_enter(Bob, Alice)[5/7/08] 

At  some  time  t,  Bob  will  approach  Alice’s  office  door  and  request  access  using  his  cell  phone.  Before 
the  door  will  unlock,  he  must  present  a  correct  proof  of: 

Sa,b;  sown', trust', C'  (admin)may_enter(Bob,  Alice) [[t, t]] 

where  Sa,b  assigns  the  sort  principal  to  all  principals  in  the  system.  Provided  that  t  is  some  time 
during  May  7,  2008  (formally,  \=  5/7/08  A  [i,  t])  Bob’s  phone  can  construct  a  correct  proof  by 
applying  the  trust'  policy  to  the  credential  C'  that  Alice  supplied,  and  Bob  will  be  granted  access. 
If  t  is  not  during  May  7,  2008  (formally  [/=  5/7/08  A  there  is  no  correct  proof  of  the  required 
judgment,  and  Bob  will  not  be  granted  access. 

As  is  evident  from  this  example,  7?7v  logic  permits  the  expression  of  a  richer  set  of  policies  than 
is  possible  in  GP  logic.  However,  the  logic  is  still  not  sufficiently  expressive.  The  deficiency  occurs 
even  in  this  small  office  entry  example.  Alice  can  now  restrict  the  times  during  which  Bob  may 
access  her  office,  but  it  is  not  possible  to  restrict  the  number  of  times  Bob  may  enter.  Specifically, 
because  the  credential  C'  is  never  consumed  during  use.  Bob  may  enter  the  office  as  many  times  as 
he  wants  on  May  7,  2008  by  repeatedly  using  C'. 

Because  rjN  logic  models  the  expiration  of,  but  not  the  consumption  of,  credentials,  the  above 
deficiency  motivates  us  to  extend  the  logic  with  linearity,  just  as  Garg  and  Pfenning  cleanly  added 
linearity  to  an  authorization  logic  without  time  [23].  This  effort  toward  a  linear  r]  logic  that  can 
model  consumable  credentials  is  the  focus  of  the  following  chapter. 
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3.2.2  Journal  Publication 

To  further  demonstrate  the  increased  expressiveness  of  r]j\/  logic,  consider  a  peer-review  publication 
system  as  employed  by  academic  journals.  This  example  uses  time  in  a  more  complex  way  than  the 
previous  example  and  also  illustrates  the  use  of  time-based  constraints  and  constraint  implication. 

We  postulate  the  existence  of  two  application-specific  sorts:  the  sort  journal  of  academic  journals 
and  the  sort  article  of  journal  articles.  To  ease  the  notation,  we  also  use  the  syntax  t  G  I  as  an 
abbreviation  for  the  constraint  I  D  The  following  predicates  are  required: 

is_approved(^,  K,  J)  Article  A  is  approved  by  principal  K  for  publication  in  journal  J. 
is_reviewer(i?.  A,  J)  Principal  R  is  the  reviewer  for  article  A  submitted  to  journal  J. 

is_editor(iii,  J)  Principal  E  is  an  editor  for  journal  J . 

is_published(A,  J)  Article  A  is  published  in  journal  J. 

Journal  J  appoints  Pi  as  an  editor  for  term  I  by  issuing  the  credential  (J)is_editor(Pi,  J)[/]. 
One  of  an  editor’s  duties  is  to  assign  reviewers  to  articles  submitted  to  the  journal.  Editor  E 
assigns  principal  R  as  the  reviewer  for  article  A  from  time  t  onward  by  issuing  the  credential 
(Pi)is_reviewer(i?,  A,  J)[[t,  oo)].  For  simplicity,  we  assume  that  each  article  has  at  most  one  reviewer, 
justifing  the  reference  to  a  reviewer  of  an  article  as  the  reviewer. 

Another  one  of  an  editor’s  duties  is  to  process  reviews  as  they  come  back  from  reviewers.  Editor 
E  accomplishes  this  by  signing  the  following  credential: 

approve  :  (E)(Vi?:principal.Vta:time. 

(i?)is_approved(A,  R,  J)  @  [ta,  A 
is_reviewer(i2.  A,  J)  @  [ta,  ta]  A 
{ta  G  Ie)  =) 

is_approved(A,  E,  J)  @  [ta,  oo))[(— oo,  oo)] 

If  principal  R  decides  to  approve  article  A  for  publication  in  journal  J,  he  can  submit  a  positive 
review  at  time  ta  by  issuing  (i?)is_approved(A,  i?,  J)[[ta,  ta]].  Provided  that  editor  E  agrees  that  R 
is  the  reviewer  of  article  A  at  time  ta  and  that  ta  G  Ie,  E  will  accept  i?’s  review  and  approve  the 
article  for  publication  from  time  ta  onward.  If  R  is  not  the  reviewer  of  article  A  or  if  ^  Ie,  then 
the  review  will  not  be  accepted. 

Note  that,  unlike  the  policies  we  have  previously  seen,  approve  is  not  a  fixed  policy,  but  rather 
a  template.  When  E  signs  the  credential,  he  must  instantiate  Ie  with  the  interval  over  which  he 
will  accept  reviews. 

In  a  similar  way,  each  journal  must  specify  the  conditions  under  which  it  accepts  articles  ap¬ 
proved  by  editors.  This  is  done  by  issuing  the  following  credential: 

publish  :  ( J)(V£':principal.Vta:time. 

(£')is_approved(A,E,  J)  @  [ta,ta]  A 
is_editor(E,  J)  @  [ta,ta]  A 

{ta  G  Ij)  A 

is_published(A,  J)  @  [ta,  oo))[(— oo,  oo)] 

If  principal  E  approves  article  A  for  publication  in  journal  J,  he  issues  the  consumable  credential 
(E)is_approved(A,  E,  J)[[ta,  ta]]-  If  journal  J  has  appointed  E  as  editor  during  time  ta  and  if  ta  G  Ij, 
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J  will  accept  editor  E's  approval  and  publish  the  article  from  ta  onward.  Again,  this  policy  is  a 
template:  J  must  instantiate  Ij  with  the  interval  during  which  it  will  accept  articles  for  publication. 


3.3  Meta-theory  and  Correspondence  to  GP  Logic 

As  a  proof-theoretic  logic,  rj^  logic  permits  a  rigorous  study  of  its  meta-theory.  We  examine  three 
properties  here:  identity,  subsumption,  and  admissibility  of  cut.  In  addition,  we  easily  establish  a 
formal  correspondence  between  a  fragment  of  logic  and  GP  logic,  which  is  not  surprising  given 
the  parentage  relationship  between  the  two  logics. 

3.3.1  Meta-theory 

The  meta-theory  for  rjM  logic  is  slightly  more  complicated  than  that  of  GP  logic  because  of  the 
addition  of  time.  But,  it  still  serves  to  increase  conhdence  in  the  soundness  of  the  logic  by  providing 
a  kind  of  “sanity  check.” 

Before  considering  the  core  meta-theorems,  we  must  state  a  few  lemmata  that  will  be  used  in 
the  following  meta-theoretic  proofs: 

Lemma  3.1. 

1.  If  S;  P  ^  7,  then  S,  S';  P,  P'  ^  7. 

£  If  S;  ^,  /  A  I";  P  ^  7  and  S;  ^  ^  /  A  then  S;  I'  D  I";  P  ^  7. 

3.  If'E;^\=C  and  S;  'k,  C;  P  7,  then  S;  'k;  P  7. 

4-  //  S  h  f  :  s  and  S,  x:s;  'k;  P  7,  then  S;  [f/x]'k;  [t/xjP  [t/xj'y. 

Proof.  All  parts  follow  by  structural  induction  on  the  given  derivation.  □ 

As  in  GP  logic,  we  are  still  interested  in  verifying  the  identity  principle.  However,  with  the 
shift  in  underlying  judgments  to  hybrid,  time-dependent  forms,  the  statement  of  the  theorem  must 
change.  For  any  proposition  A,  it  should  be  possible  to  conclude  from  the  hypothesis  A[I]  that 
A[/'],  provided  /'  is  a  subinterval  of  I.  This  generalizes  the  init  rule,  and  is  formalized  in  the 
following  theorem. 

Theorem  3.2  (Identity).  For  all  propositions  A,  i/  S;  'k  ^  /  A  I' ,  then  S;  'k;  T,  A[I]  A[/'] . 

Proof.  By  structural  induction  on  A.  □ 

A  natural  time-dependent  property  to  expect  of  r]N  logic  is  the  notion  of  subsumption.  For 
example,  whenever  one  can  prove  that  A  is  true  on  interval  I,  it  should  be  possible,  for  any 
subinterval  I'  of  I,  to  construct  a  similar  proof  that  A  is  true  on  This  can  be  easily  generalized 
to  affirmations.  Because  this  type  of  subsumption  occurs  in  proof  conclusions  and  not  assumptions, 
it  appears  to  the  right  of  the  symbol  in  a  hypothetical  judgment.  It  is  therefore  termed  right 
subsumption. 

Theorem  3.3  (Right  Subsumption). 

1.  //S;^;F  ^  A[I]  and  S;  ^  ^  /  T  T,  then  S;^;F  ^  A[T]. 

2.  If  S;  'k;  F  (K  affirms  A)  at  I  and  S;  'k  ^  /  T  then  S;  'k;  F 


{K  affirms  A)  at 
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Proof.  By  simultaneous  structural  induction  on  the  first  given  derivation.  □ 

Subsumption  can  also  occur  for  hypotheses.  If  interval  /  is  a  superinterval  of  /',  the  assumption 
that  A  is  true  on  interval  I  is  at  least  as  powerful  as  assuming  that  A  is  true  on  I':  the  former 
assumption  contains  as  much  (and  possibly  more)  information  as  the  latter.  Because  hypotheses 
appear  on  the  left  side  of  the  symbol  in  a  hypothetical  judgment,  this  kind  of  subsumption  is 
termed  left  subsumption. 

Theorem  3.4  (Left  Subsumption).  IfE;  'L;  L,  A[I']  7  and  \=  I  D  If  then  S;  'L;  L,  A[I] 

7- 

Proof.  By  nested  induction  on  the  structures  of  A  and  the  first  given  derivation.  □ 

Finally,  we  can  reconsider  cut  elimination  in  the  context  of  777V  logic.  The  admissibility  of  cut 
for  the  truth  judgment  remains  relatively  unchanged:  a  proof  of  A[I]  can  replace  the  assumption 
A[I]  of  any  other  proof.  However,  the  admissibility  of  cut  for  the  affirmation  judgment  changes  in 
a  significant  way.  As  argued  in  the  description  of  the  {)L  rule,  an  affirmation  made  by  K  during 
interval  I  is  equivalent  to  truth,  but  only  if  we  are  currently  reasoning  about  the  beliefs  that  K 
holds  during  a  subinterval  T.  Thus,  a  proof  of  {K  affirms  A)  at  /  can  replace  the  assumption  A[I] 
in  a  proof  of  {K  affirms  B)  at  If  provided  that  /  is  a  superinterval  of  I' . 

Theorem  3.5  (Admissibility  of  Cut). 

1.  If  S;  r  ^  A[I]  and  S;  F,  A[I]  7,  then  S;  F  ^  7. 

2.  If  S;  4';  F  ^  {K  affirms  A)  at  I,  S;  4';  F,  A[I]  {K  affirms  B)  at  If  and  S;  4'  ^  /  A  If  then 
S;  4';  F  ^  {K  affirms  B)  at  T. 

Proof.  By  simultaneous  nested  induction  on  the  structures  of  A  and  the  given  derivations.  □ 

The  above  meta-theorems  have  been  mechanically  verified  using  the  Twelf  logical  framework  [35] . 
The  Twelf  proofs  are  available  at  http :  //www.  andrew.  cmu.edu/user/hdeyoung/etalogic/twelf. 


3.3.2  Correspondence  to  GP  Logic 

Upon  careful  comparison  of  the  rules  of  GP  logic  and  the  rules  of  77V  logic,  a  correspondence 
becomes  evident.  For  example,  consider  the  AR  and  {)L  rules: 


GP  Logic 


riN  Logic 


S:F 


A  S;F 


B 


S;F 


A  AH 


AR 


S;4';F^A[/]  S;4';F^H[/] 

S;^;F  ^  A  AHm 


AR 


S;F,  (iL)A,A  ^  ATaffirmsH 
S;F,  {K)A  ^  a:  affirms  H 


\=IDI' 

S;4';F,  (A:)A[/],  A[/]  ^  (AT  affirms  H)  at/' 
S;  4^;  F,  {K)A[I]  {K  affirms  B)  at  /' 


{)L 
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Because  there  are  no  notions  of  time  or  constraints  in  GP  logic,  the  correspondence  does  not  extend 
to  these  constructs. 

The  above  intuition  suggests  that  GP  logic  can  be  encoded  into  r/jv  logic.  Let  I  denote  a  list 
of  time  intervals.  Also,  if  P  =  Ai, . . . ,  A„  is  a  GP  logic  context  and  I  =  R, . . . ,  R,  let  r[/]  be  the 
rjN  logic  context  Ai[/i], . . . ,  Finally,  define  a  translation  for  parameter  contexts  such  that 

S  is  S  with  interval  and  time  parameters  removed. 

This  permits  us  to  state  the  following  theorem. 

Theorem  3.6. 

1.  //S;r  ^  A  and  ^  I  D  r  for  all  I  e  I,  then  S;^;r[/]  ^  A[/']. 

£  //S;r  ^  ATaffirmsA  andE;^  \=ID  T  for  all  I  e  I,  then  S;^';r[/]  ^  (AaffirmsA)  at/'. 

Proof.  By  simultaneous  structural  induction  on  the  first  given  derivation.  □ 


Informally,  this  theorem  states  that  by  choosing  appropriate  intervals  for  the  hypotheses  and 
conclusion  of  a  hypothetical  judgment,  it  is  possible  to  translate  a  valid  GP  logic  derivation  into 
a  valid  logic  derivation.  In  particular,  if  the  lattice  imposed  by  interval  inclusion  contains 
a  greatest  element,  possibly  written  (—00,00),  then  that  greatest  element  can  be  used  for  each 
hypothesis  and  conclusion  in  the  constructed  rjN  logic  derivation. 

It  is  natural  to  consider  whether  the  converse  of  the  above  theorem  holds.  Specifically,  is  it 
possible  to  derive  S;r  A  in  GP  logic  and  verify  that  S;'I'  \=  I  T  /'  holds  for  each  I  G  I, 
whenever  S;'I';r[/]  is  derivable  in  r]j^  logic?  (An  analogous  converse  can  be  stated  for 

affirmation  consequents.) 

The  full  converse  does  not  hold:  it  is  not  the  case  that  S;  'L  \=  I  D  I'  for  each  I  G  I.  When 
^  2-^2)  the  following  is  a  simple  counterexample. 

■  \=  h  ^  h 

■■,-,A[h],P[l2]^P[l2] 

However,  as  the  following  theorem  shows,  a  partial  converse  does  indeed  hold. 

Theorem  3.7. 

1.  //S;^;r[/]  ^  A[/'],  t/ien  S;r  ^  A.  _ 

2.  If  S;  'L;  r[/]  {K  affirms  A)  at  I' ,  then  S;  T  K  affirms  A. 

Proof.  By  simultaneous  structural  induction  on  the  given  derivation.  □ 


Due  to  the  difficulty  of  reasoning  about  context  translations  in  Twelf  and  the  existence  of 
a  translation  from  T  to  T[l\  in  these  theorems,  the  above  theorems  have  not  been  mechanically 
verified.  This  is  an  opportunity  for  future  work. 

^There  is  an  implicit  identity  translation  from  GP  logic  propositions  to  r/]v  logic  propositions  here. 
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3.4  Conclusion 

In  this  chapter,  we  have  derived  an  authorization  logic  with  explicit  time  from  GP  logic,  as  reviewed 
in  Chapter  2.  We  illustrated  its  ability  to  model  complex  time-dependent  policies  through  office 
entry  and  journal  publication  examples.  We  also  studied  the  logic’s  meta-theory  and  established  a 
correspondence  to  GP  logic.  In  addition,  we  noted  the  logic’s  inability  to  model  restrictions  on  the 
number  of  accesses.  The  effort  to  correct  this  deficiency  is  the  focus  of  the  next  chapter. 


Chapter  4 

r]i  Logic 


In  the  previous  chapter,  we  developed  a  non-linear  authorization  logic  with  explicit  time  and  demon¬ 
strated  its  increased  expressive  power  in  the  contexts  of  office  entry  and  journal  publication.  In 
addition,  we  studied  the  logic’s  meta-theoretic  properties  and  proved  that  it  subsumes  GP  logic. 

However,  we  also  saw  that  even  777V  logic  is  not  sufficiently  rich  to  model  many  natural  access 
control  policies.  In  particular,  policies  that  place  limits  on  the  number  of  accesses  or  require  finitely 
useable  credentials  could  not  be  expressed  in  the  logic. 

To  express  such  use-limited  policies  in  a  time-independent  setting,  previous  work  [23]  has  com¬ 
bined  an  authorization  logic  with  linear  logic,  allowing  the  authorization  constructs  to  model  access 
control  and  the  linear  constructs  to  model  usage  limits.  In  this  chapter,  we  follow  this  approach 
and  combine  r]i\f  logic  with  linear  logic  to  yield  a  logic  that  can  model  both  time-dependent  and 
use-limited  policies. 

Following  a  brief  overview  of  linear  logic,  we  present  the  formal  system  of  r]L  logic.  The  new 
logic’s  increased  expressiveness  is  demonstrated  through  several  examples.  Finally,  we  study  a  few 
meta-theoretic  properties  of  the  logic,  including  the  admissibility  of  cut. 

4.1  An  Overview  of  Linear  Logic 

Recall  the  office  entry  example  from  Section  3.2.1  in  which  an  office  owner  could  issue  a  credential 
to  give  a  trusted  colleague  access  to  his  office.  For  example,  we  described  a  scenario  in  which  Alice 
could  allow  Bob  to  enter  her  office  on  only  May  7,  2008  by  issuing  the  credential: 

(Alice)  may  _enter(Bob,  Alice)  [5/7/ 08] 

Bob  could  then  use  this  credential  in  conjunction  with  the  trust'  policy  to  derive 

(admin)  may  _enter(Bob,  Alice)  [[t,  t]] 

for  any  time  t  during  May  7,  2008.  However,  because  the  assumption  corresponding  to  Alice’s 
credential  is  persistent.  Bob  can  enter  her  office  an  unlimited  number  of  times  on  that  day. 

Instead,  Alice  would  like  to  ensure  that  Bob  can  enter  only  once  and  only  on  that  day.  If  the 
assumption  corresponding  to  Alice’s  credential  could  somehow  be  consumed  upon  its  first  use,  then 
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it  could  not  be  used  to  authorize  further  accesses.  A  possible  solution,  then,  is  the  extension  of  r/jv 
logic  with  an  ability  to  model  the  consumption  of  objects. 

As  a  well-established  logic  for  modeling  such  changes  of  state,  linear  logic  [26,  17]  is  a  perfect 
starting  point.  To  model  the  consumption  of  objects,  linear  logic  does  not  have  a  single  notion  of 
truth,  but  instead  distinguishes  truth  into  two  classes:  truths  that  must  be  used  once,  and  only 
once,  and  truths  that  may  be  used  zero  or  more  times  without  restriction.  A  single-use  truth 
corresponds  to  a  resource,  while  a  multi-use  truth  is  akin  to  a  fact:  objects  are  ephemeral,  but 
knowledge  is  persistent.  It  is  also  occasionally  useful  to  think  of  an  unrestricted  truth  as  a  resource 
factory  that  can  produce  an  unlimited  number  of  copies  of  a  given  resource. 

Introducing  such  a  refinement  of  truth  affects  the  connectives  found  in  linear  logic.  For  example, 
implication  splits  into  two  forms.  Linear  implication,  — o,  can  be  applied  to  resources  and  facts. 
Unrestricted  implication,  D,  on  the  other  hand,  can  only  be  applied  to  facts.  Conjunction  splits  into 
two  forms  as  well.  Simultaneous  conjunction,  (8),  represents  the  existence  of  two  resources  in  the 
same  state:  both  resources  can  be  had.  On  the  other  hand,  alternative  conjunction,  &,  represents 
a  choice  between  two  resources:  both  resources  can  be  had,  but  only  alternatively.  As  alternative 
conjunction  represents  an  internal  choice  made  by  the  reasoner,  it  is  distinct  from  disjunction,  0, 
which  corresponds  to  an  external  choice  made  by  the  environment. 

4.2  Logical  System 

Now,  we  formally  present  rjL  logic,  making  the  above  suggested  combination  of  linear  logic  and  r/^r 
logic  explicit.  Changes  are  made  to  the  system’s  judgments,  and  consequently  its  propositions  and 
inference  rules,  while  the  first-order  terms  and  sorts  and  constraints  are  unaffected. 

4.2.1  First-Order  Terms  and  Sorts 

The  system  of  first-order  terms  and  sorts  is  carried  over  en  bloc  from  logic.  Sorts  principal,  time, 
and  interval  are  still  required,  and  the  other  sorts  remain  open-ended.  S  continues  to  stand  for  a 
context  of  parameters  in  scope  ascribed  with  sorts.  The  judgment  S  h  t:s  still  means  that  term  t 
has  sort  s.  Finally,  we  continue  to  write  [t/x]  for  the  substitution  of  term  t  for  all  free  occurrences 
of  X. 

4.2.2  Constraints 

We  also  make  no  changes  to  the  system  of  constraints.  Superset  constraints,  I  D  are  still 
required,  and  other  application-specific  constraint  forms  may  still  be  added  as  needed.  'L  continues 
to  stand  for  a  context  of  constraint  assumptions.  The  constraint  entailment  judgment  S;  'L  ^  C 
still  states  that  constraint  C  holds,  assuming  the  constraints  in  Finally,  although  the  constraint 
entailment  judgment  remains  unspecified,  the  same  six  properties  are  required  (repeated  here  for 
convenience) . 

(Hypothesis)  S;  'L,  C  ^  C. 

(Weakening)  If  S;  4'  [=  C,  then  S,  S';  I',  I''  ^  C. 

(Cut)  If  S;  I'  1=  C  and  E;'If,Cj=  C",  then  S;  ^  \=  C . 
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(Substitution)  If  S  h  t:s  and  S,x:s;'I'  \=  C,  then  S;  [t/x]'!'  \=  [t/x]C. 

(Reflexivity)  S;  'h  ^  /  3  /. 

(Transitivity)  If  S;  d'  ^  5  /'  and  \=  I'  T  then  S;  'h  ^  /  3  I". 

4.2.3  Judgments 

In  accordance  with  the  goal  of  combining  linear  logic  and  r/vr  logic,  we  modify  the  judgments  of  r/vr 
logic  to  become  the  resource- aware  judgments  of  r]L  logic.  These  modifications  are  analogous  to 
the  changes  made  to  ordinary  first-order  logic  to  create  linear  logic. 

In  the  transition  from  first-order  logic  to  linear  logic,  truth  forks  into  single-use  truth  and 
multi-use  truth.  In  the  same  way,  we  split  7?7v  logic’s  interval  truth  into  single-use  interval  truth 
and  multi-use  interval  truth.  So,  instead  of  having  a  judgment  form  meaning  “Proposition  A  is 
true  during  interval  we  have  two  judgment  forms:  A[I],  meaning  “Proposition  4.  is  a  single-use 
truth  (resource)  during  interval  and  4[[I],  meaning  “Proposition  4  is  a  multi-use  truth  (fact) 
during  interval  Note  that  the  syntax  for  the  single-use  interval  truth  judgment  is  the  same  as 
the  syntax  for  the  interval  truth  judgment  of  r]j\f  logic.  This  should  not  cause  confusion  because 
the  underlying  logic  should  always  be  clear  from  the  context. 

To  model  principals’  intents  and  policies,  r/jv  logic  contains  an  affirmation  judgment  form 
{K  affirms  4)  at  I,  meaning  “During  interval  /,  principal  K  affirms  the  truth  of  proposition  4 
on  interval  This  judgment  form  is  converted  to  the  resource-aware  {K  affirms  4)  at  I,  meaning 
“During  interval  /,  principal  K  affirms  that  proposition  4  is  a  single-use  truth  (resource)  on  in¬ 
terval  This  modification  of  the  affirmation  judgment  for  truth  to  an  affirmation  judgment  for 
resources  is  based  on  the  difference  between  linear  GP  logic  [23]  and  (non-linear)  GP  logic  [24]. 
Note  that  the  single-use  affirmation  judgment  uses  the  same  syntax  as  the  affirmation  judgment  of 
r]N  logic;  again,  the  underlying  logic  should  be  clear  from  the  context. 

As  in  777V  logic,  7777  logic  continues  to  use  hypothetical  judgments  as  the  mechanism  for  handling 
assumptions.  However,  because  the  basic  judgments  have  changed,  it  is  necessary  to  reconsider  the 
hypothetical  judgment  forms;  in  particular,  it  should  be  possible  to  assume  both  resources  A[I] 
and  facts  4[I]. 

The  hypothetical  judgment  forms  of  linear  77  logic  are: 

S;4/;r;A^4[/] 

S;  'I';  P;  A  (K  affirms  4)  at  I 

where  S  is  a  context  of  parameters,  ascribed  with  sorts,  that  may  appear  in  'k,  P,  A,  K,  4,  and 
/;  'k  is  a  context  of  constraints  that  are  assumed  to  hold;  P  is  a  set  of  fact  hypotheses  of  the  form 
4[/];  and  A  is  a  multiset  of  resource  hypotheses  of  the  form  A[I].  In  the  following  sections,  we 
will  write  7  in  place  of  the  basic  judgment  to  the  right  of  when  its  form  does  not  matter. 

The  first  of  these  hypothetical  judgment  forms  means  “Assuming  that  the  constraints  in  rk  hold, 
under  the  fact  assumptions  in  P,  and  by  using  each  resource  assumption  in  A  exactly  once,  resource 
4  exists  during  interval  /,  parametrically  in  the  members  of  S.  Similarly,  the  second  hypothetical 
judgment  form  means  “Assuming  that  the  constraints  in  'k  hold,  under  the  fact  assumptions  in  P, 
and  by  using  each  resource  assumption  in  A  exactly  once,  principal  K  affirms,  during  interval  /, 
that  resource  4  exists  on  interval  /,  parametrically  in  the  members  of  S.” 
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4.2.4  Propositions 

Now  that  the  judgments  of  rjL  logic  have  been  introduced,  it  is  possible  to  describe  the  propositions 
that  these  judgments  act  upon  with  the  following  grammar.  We  retain  the  propositions  relating  to 
affirmation,  time,  and  constraints  from  r]]\f  logic,  but  replace  the  propositions  derived  from  ordinary 
first-order  logic  with  those  of  linear  logic. 

A,  B  ::=  P  \  A  ^  B  \  1  \  Ak,  B  \  T\A®B\A^B  \  \A  \  A  Z)  B  \  '^x:s.A  \  3x:s.A 
I  {K)A  \  A@I  \  Cti  A\C  KA 

P  stands  for  an  arbitrary  atomic  proposition.  A  0  B,  A  Sz  B,  A  Q)  B,  A  —o  B,  and  A  D  B  are 
simultaneous  conjunction,  alternative  conjunction,  disjunction,  linear  implication,  and  unrestricted 
implication,  respectively,  as  described  in  Section  4.1.  1  is  multiplicative  truth,  the  unit  for  (g),  and 
T  is  additive  truth,  the  unit  for  &.  lA  is  the  fact  A  encoded  as  a  resource.  yx:s.A  and  3x'.s.A  are 
universal  and  existential  quantification,  respectively.  {K)A  internalizes  the  affirmation  judgment 
{K  affirms  4.)  at  /.  A@  I  internalizes  the  resource  judgment  A[I].  C  t)  A  and  C  /\  A  are  constraint 
implication  and  constraint  conjunction,  respectively,  adapted  from  Saranh  and  Pfenning  [38]. 

One  might  expect  falsehood,  0,  from  linear  logic  to  be  included  here.  As  for  _L  in  t/at  logic,  any 
derivation  of  0  would  permit  every  principal  to  access  every  resource.  Including  0  would  therefore 
be  a  security  risk.  For  this  reason,  we  exclude  0  from  rjL  logic,  as  we  did  _L  from  r/jv  logic. 

4.2.5  Inference  Rules 

Following  the  presentations  of  both  GP  logic  and  r/Tv  logic,  we  now  examine  the  inference  rules  for 
rjL  logic.  According  to  the  philosophies  of  Gentzen  [25]  and  Martin-Lbf  [32],  these  inference  rules 
establish  the  logic’s  formal  semantics. 

We  begin  our  discussion  of  the  inference  rules  with  the  rule  that  defines  the  meaning  of  linear 
hypotheses: 

^  I  D  /' 

S;^;F;P[/]  ^  P[T] 

One  would  expect  that,  by  assuming  resource  A  exists  during  interval  /,  it  should  be  possible  to 
conclude  that  resource  A  exists  during  any  subinterval  I’  of  I.  As  in  the  previous  logics,  this 
property,  restricted  to  atomic  propositions  P,  is  stated  explicitly  in  the  in  it  rule.  The  rule  is 
recovered  in  its  full  generality  as  Theorem  4.2  (cf.  Section  4.4).  Note  that  only  the  single  resource 
hypothesis  P[I]  is  permitted  in  this  rule.  This  ensures  that  resources  cannot  be  discarded:  since 
only  P[I]  is  used  in  this  rule,  any  other  resources  that  might  have  been  allowed  here  would  not 
have  been  used. 

Next,  we  examine  the  inference  rule  that  defines  the  meaning  of  fact  hypotheses: 

S;4/;F,4[/1;A,4[/]^7 

S;4/;F,4[/1;A^7 

We  previously  mentioned  that  it  is  occasionally  useful  to  think  of  facts  as  resource  factories  that 
can  produce  an  unlimited  number  of  resources  of  a  given  type.  The  copy  rule  is  the  most  convincing 
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example  of  this  perspective.  If  the  resource  factory  vl[/]  is  assumed  to  exist,  it  can  be  called  upon  at 
any  point  to  produce  the  resource  A[I].  Producing  this  resource  does  not  incapacitate  the  factory, 
and  so  the  hypothesis  ^[7]  persists  in  the  copy  rule’s  premise. 

Next,  we  consider  the  right  and  left  rules  for  the  @  connective: 


Y,^;T;A^A[I] 


Y,^-,T-,A,A[I]  = 
E;'I>;r;A,A@  ![!'] 


These  rules  have  very  similar  structure  to  the  corresponding  rules  of  r/jv  logic  (cf.  Figure  3.1). 
There  are  only  two  differences.  First,  the  rules  now  carry  resource  hypotheses.  A,  in  addition  to 
fact  hypotheses,  F.  Second,  the  left  rule  operates  on  resource  assumptions,  not  fact  assumptions. 
These  two  differences  are  also  present  in  the  rules  for  other  connectives  borrowed  from  logic. 
Next,  we  consider  the  right  and  left  rules  for  linear  implication: 

S,  ^interval;  'I',  /  D  i;  F;  A,  A[i]  B[i]  ^ 

Y,^;T-,A^  A^  B[I] 

S;^;F;Ai  ^^[/']  S;  ^  ^  /  T /'  S;  F;  As,  ^  7 

S;d/;F;Ai,A2,7l^S[I]  ^7  ^ 

The  judgment  A  —o  B[I]  can  be  intuitively  thought  of  as  a  plan  for  converting  resource  A  to  resource 
B  that  is  only  available  during  interval  I.  Such  a  conversion  can  be  established  by  deriving  B[i] 
from  A[i],  parametrically  in  the  arbitrary  subinterval  i  of  I.  The  use  of  the  fresh  parameter  i  and 
constraint  I  ^  i  ensures  that  the  conversion  A  ^  B  is  available  at  all  times  during  I.  This  intuition 
is  captured  by  the  right  rule,  -^R.  It  is  important  to  note  that  A[i]  is  a  resource  hypothesis  in  the 
premise  of  this  rule:  A[i\  must  be  used  exactly  once  in  the  derivation  of  B[i\. 

The  left  rule,  -^L,  also  supports  the  conversion  intuition  for  A  B[I].  Given  the  resource 
A[T],  the  conversion  can  be  carried  out  to  produce  the  resource  B[I'],  provided  I'  is  a  subinterval 
of  I.  Observe  that  the  resources  are  split  among  the  premises  of  the  rule;  the  resources  Ai  used  to 
establish  A[I'\  are  consumed  and  cannot  be  used  to  establish  7  in  the  other  premise. 

Next,  we  give  the  right  and  left  rules  for  unrestricted  implication: 

S,  z:interval;  'h,  I  3  i;  F,  A  B[i] 


S;'h;F;A 


A  D  B[Ij 


^  A[I'j  E;'Ll=IDI'  S;  F;  A,  B[/'] 
E;^;r;A,ADBlI]^j 


These  rules  are  quite  similar  to  the  —oR  and  —oL  rules  for  linear  implication.  A  D  B[I]  may  also  be 
thought  of  as  a  conversion.  However,  the  conversion  is  from  fact  A,  not  resource  A,  to  resource  B. 
For  this  reason,  the  H[i]  assumption  introduced  in  the  dR  rule  is  a  fact  hypothesis.  Accordingly, 
no  resources  may  be  used  in  establishing  the  requisite  A[I']  in  the  dL  rule;  the  conversion  only 
applies  to  facts.  It  should  be  noted  that  A  D  B  can  be  defined  in  terms  of  ^  and  !,  whose  rules 
are  given  in  Figure  4.1,  as  (!A)  ^  B]  the  dR  and  dL  rules  are  derivable. 
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Finally,  we  present  the  right  and  left  rules  for  simultaneous  conjunction: 


E;  ^  ;T;  A2  ^  B[I] 

S;^;r;Ai,A2  ^A0B[I] 


<S)R 


E-,^;r-,A,A[I],B[I]^-f 
S;^;r;A,^®5[I]  ^7 


The  judgment  A  0  B[I]  represents  the  existence  of  resources  A  and  B  in  the  same  state  during 
interval  I.  The  right  rule,  (8>-R,  shows  that  in  establishing  A<SiB[I],  the  resource  hypotheses  Ai,  A2 
are  split  among  the  premises,  with  Ai  and  A2  being  used  to  establish  A[I]  and  B[I],  respectively. 
By  splitting  the  resources,  the  left  rule,  (8>T,  is  justified:  from  A  0  B[I],  we  may  have  both  A[I] 
and  B[I]  because  the  resources  used  to  originally  establish  them  were  disjoint. 

These  rules  and  the  rules  for  ^  imply  the  usual  equivalence  of  curried  and  uncurried  linear 
implications:  A  ^  (B  —o  C)[I]  and  (A<Si  B)  —o  C[I]  entail  each  other. 

The  remaining  connectives  are  all  standard  to  linear  logic  [26,  17].  Because  they  interact  only 
weakly  with  time,  their  rules  are  rather  straightforward  modifications  of  the  corresponding  rules  in 
linear  logic.  Figure  4.1  summarizes  all  of  the  inference  rules  of  rj^  logic. 

Before  concluding  this  section,  we  illustrate  some  key  properties  of  r]L  logic.  We  write  A 
if,  for  all  S,  'k,  and  I" ,  S;  'k;  •;  •  is  derivable,  and  write  7^  A  otherwise.  Also,  A  =  B 

stands  for  {A  ^  B)  Sz  {B  ^  A). 

First,  we  note  that  {K)  remains  similar  to  a  lax  modality  [20]  and  that  {K)A  does  not  entail  A 
in  general: 

1.  ^  A  ^  {{K)A) 

2.  ^{{K){K)A)^{{K)A) 

3.  ^  {{K){A  ^  B))  ^  m)A)  ^  {{K)B)) 

4.  7^  {{K)A)  ^  A 


Next,  we  give  a  few  properties  of  the  @  connective.  These  properties  are  analogous  to  those  of  t/at 
logic. 

5.  7^  (A@/)  ^  (A@/') 

6.  ^  (/  2  I')  i)  {{A  @I)^{A@  T)) 

7.  ^  (A  @  /)  =  (A  @  /  @  T) 

8.  ^  ((A  (^B)@I)  =  ((A  @I)(^{B@  /)) 

9.  ^  ((A  kB)@I)  =  ((A  @I)k{B@  /)) 

10.  ^  ((A  ®B)@I)  =  ((A  @I)®{B@  I)) 

11.  ^  ((A  B)@I)^  ((A  @I)^{B@  /)) 

12.  7^  ((A  @I)^{B@  /))  ^  ((A  -^B)@I) 

13.  ^  ((A  D  B)@I)^  ((A  @I)d{B@  /)) 
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Basic  Rules 


Y,1^;T;P[I]^P[r] 


TT  init 


copy 


A@I 


E-,'I>-,T-,A^A[I] 


S;^';r;A  ^ 


7T  @R 


S;^;r;A,^[J]  ^7 
S;^;r;A,^@/[/']  ^7 


@L 


Constraints 


dR 


E-,^,C-,T-,A^A[I] 
E-,^-,T;A^CdA[I] 

^  C  S;^;r;A  ^  A[I] 


S;^;r;A,4/]  ^7 
E;^;T;A,CdA[I]^j 


t)L 


S;^;r;A  ^  C  Ayl[/] 


^R 


S;^,C;r;A,A[/]  ^7 
S;^;r;  A,CA  A[/]  ^  7 


Affirmation  and  {K)A 


S;d/;r;A^A[/] 

S; F;  A  {K  affirms  A)  at  I 


affirms 


S;  'F;  F;  A  {K  affirms  A)  at  I 
S;'F;F;A^(iF)A[/] 


OR 


S;  F;  A,  A[I]  {K  affirms  B)  at  T  E;'!/  \=  I  D  I' 
S;  'L]  F;  A,  {K)A[I]  {K  affirms  B)  at  T 


{)L 


Other  Connectives 


S;^;F;Ai  ^  A[/]  S;  F;  A2  ^  R[/] 
S;^';F;  Ai,A2  ^  A0B[I] 

S;'F;F;.^1[/] 


0R 


S;d/;F;A,A[J],R[J]  ^7 
S;^;F;A,A®R[I]  ^7 

S;d/;F;A^7 


0L 


S;'F;F;A,1[/]  ^7 


IL 


Figure  4.1:  The  inference  rules  for  rji  logic. 
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Other  Connectives,  cont. 


A[I]  A  ^  B[I] 

E;'I>;r;A^  AkB[I] 


kR 


S;4/;r;A,4/]  ^7 
E;'I>-,r;A,AkB[I]  ^7 


kLi 


S;4/;r;A^T[/] 


S;4/;r;A,ij[/]  ^7 
S;^;r;A,A&B[/]  ^  7 

TR 


SzLn 


S;4/;r;A^  A[/] 


©i?l 


S;4/;r;A^B[/] 


S;^;r;A  ^  ^©5[/]  S;  T;  A  ^  A  ©  5[/] 

S;4/;r;A,^[/]  ^7  S;  4/;  T;  A,  S[I]  ^  7 


®R2 


S;^;r;A,A©B[/]  ^7 
S,  i:interval;  4^,  /  ©  i;  F;  A,  A[i]  B[i] 


©L 


S;4';r;  A  ^  A  ^  B[/] 

S;^;r;Ai  ^  I  D  T  S;  T;  A2,  g[/^]  ^  7 

S;^;r;Ai,A2,A^5[I]  ^7 


S;4/;r;.^yl[/] 


!i? 


S;4/;r,^[Il;A^7 


S;  4/;  r;  •  ^  \A[I]  S;  4/;  T;  A, \A[I]  7 

S,  i:interval;  4^,  I  ©  i;  F,  A  B[i]  ^ 
S;^;F;A^A©B[/] 

S;4/;F;-^yl[F]  S;  4/ ^  J  © /^  S;  4/;  F;  A,  ij[F]  ^  7 
S;4/;F;A,^©i?[/]  ^7 


!L 


©L 


Vi? 


S,x:s;^;F;  A  ^  A[i] 

S;^;F;  A  ^  Vx:s.A[i] 

ELt:s  S;^;F;A  ^  [t/x]yl[i] 
S;^;F;A  ^  3x:s.A[i] 


3i? 


Eht:s  S;^;F;A,  [t/x]^[/]  ^7 
S;^;F;A,Vx:s.yl[i]  ^  7 

S,x:s;4';F;  A,^[i]  ^  7 
S;  4^;  F;  A,  3x:s.yl[/]  J 


VL 


3L 


Figure  4.2:  The  inference  rules  for  rj^  logic,  continued. 
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14.  ^  ((A  @I)D  (B@  /))  ^  ((A  D  B)@I) 

15.  ^  i({K)A)  @1)  ^  {{K){A  @  /)) 

16.  ^  {{K){A  @  /))  ^  (((i^)^)  @  I) 

Property  5  shows  that,  in  general,  truth  on  one  interval  does  not  imply  truth  on  another  interval: 
the  two  intervals  may  be  unrelated.  However,  as  property  6  demonstrates,  truth  on  an  interval  does 
indeed  imply  truth  on  a  subinterval.  Property  7  shows  that  only  the  innermost  @  I  qualification 
matters.  Properties  8-10  indicate  that  the  natural  distributive  laws  for  @  over  (8),  &,  and  ©  hold. 
Properties  11-14  show  that  @  distributes  over  ^  and  D  only  in  one  direction.  Properties  15  and 
16  demonstrate  that  @  does  not  distribute  over  (K)  in  either  direction. 

Finally,  rjL  logic  is  consistent: 

17. 

4.3  Examples 

To  highlight  the  increased  expressive  power  of  rj^  logic,  we  now  present  two  examples  that  illustrate 
the  use  of  finitely-usable  credentials  in  combination  with  explicit  time.  First,  we  refine  the  office 
entry  example  from  previous  chapters  for  the  new  logic.  Second,  we  consider  the  application  of  the 
logic  to  a  simple  homework  assignment  administration  system. 

In  these  examples,  we  adopt  the  conventions  that  ©,  — o,  D,  and  i)  are  right  associative,  and 
that  binding  precendence  decreases  in  the  order:  ();  ©;  — o,  ©,  and  i);  V. 

4.3.1  Office  Entry 

Recall,  from  Section  3.2.1,  the  office  entry  example  inspired  by  the  Grey  system  [9,  8].  The  example 
assumed  an  administrating  principal,  admin,  that  managed  access  to  offices,  and  used  the  predicate 
may_enter,  where  may_enter(iP2, -Ri)  meant  that  K2  could  enter  Kis  office.  The  policies  proposed 
for  a  PCA  architecture  based  on  tjn  logic  were: 

own'  :  (admin)(VRr:principal.may_enter(Rr,  iP))[(— 00, 00)] 

trust'  :  (admin)(Viiri:principal.VRr2:pi'incipal. 

(iiri)may_enter(Rr2,  Ai)  D 

may_enter(A2,  00, 00)] 

But  these  policies  did  not  model  restrictions  on  the  number  of  times  that  a  user  may  enter  an  office. 
In  fact,  these  restrictions  cannot  be  expressed  in  rj^  logic,  motivating  the  design  of  r]L  logic.  Now 
that  we  have  developed  a  logic  ostensibly  capable  of  modeling  single-use  authorizations,  it  should 
be  possible  to  refine  the  own'  and  trust'  policies  to  incorporate  the  desired  usage  restrictions.  We 
begin  by  revising  own'. 

Because  r]L  logic  contains  (K)  and  V  propositions  and  uses  the  same  interval  structures  as  ijn 
logic,  a  first  attempt  at  revision  would  be  to  use  the  same  proposition  and  validity  interval  as  own'. 
But,  should  the  policy  be  represented  as  a  fact  or  as  a  resource?  Because  it  is  natural  to  expect 
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that  an  office  owner  should  be  able  to  enter  his  office  an  unlimited  number  of  times  (at  least  in  the 
setting  of  academic  offices),  the  policy  should  be  represented  as  a  fact: 

own''  :  (admin)(Vii':principal.may_enter(iir,  ii'))[[(— oo,  oo)] 

It  is  also  possible  to  refine  the  trust'  policy  for  use  with  rj^  logic.  Again,  most  of  the  policy  can 
remain  unchanged.  However,  because  trust'  uses  implication,  we  must  carefully  choose  the  form  of 
rjL  logic  implication.  Since  our  goal  is  to  permit  office  owners  to  restrict  the  number  of  times  a 
colleague  may  enter,  we  choose  it  can  be  applied  to  single-use  resources,  while  D  can  only  be 
applied  to  multi-use  facts.  Since  no  usage  restrictions  should  be  placed  on  the  trust"  policy  itself, 
it  is  represented  as  the  fact: 

trust"  :  (admin)(VAi:principal.VA2:principal. 

(Ari)may_enter(A2,  A'l)  ^ 
may_enter(A2,  ATi))  [(-oo,  oo)] 

We  now  revisit  the  dilemma  of  Alice  and  Bob:  Alice  is  away  from  the  office  on  May  7,  2008  and 
wants  to  allow  Bob  to  enter  her  office  once  (and  only  once)  on  that  day.  To  do  this,  Alice  can  now 
issue  the  single-use  credential,  imported  into  the  system  as  the  resource  hypothesis: 

C"  :  (Alice)  may_enter(Bob,  Alice)  [5/7/08] 

Suppose  that  Bob  approaches  Alice’s  office  door  at  time  to  and  requests  access.  Provided  that  to 
is  during  May  7,  2008,  Bob  can  combine  the  trust"  policy  with  Alice’s  credential  to  construct  the 
required  proof  of 


Sa,b;  •;  own",  trust";  C"  (admin) may_enter(Bob,  Alice) [[to,  to]] 

where  Sa,b  assigns  the  sort  principal  to  all  principals  in  the  system.  However,  the  ^  in  the  trust" 
policy  causes  the  resource  hypothesis  C"  to  be  consumed.  The  reference  monitor  records  this  usage 
of  C" .  If  Bob  attempts  to  enter  Alice’s  office  again  at  some  later  time  ti,  he  will  be  asked  to  prove 

Sa,b;  •;  own",  trust";  •  (admin) may _enter(Bob,  Alice) [[ti,  ti]] 

The  reference  monitor  does  not  allow  the  resource  hypothesis  C"  to  be  used  in  this  proof  because 
it  has  already  been  consumed  by  the  proof  at  time  to-  It  is  easy  to  check  that  it  is  impossible  to 
prove  the  judgment  required  for  access  at  time  ti.  Thus,  Alice  has  successfully  restricted  Bob  to 
entering  her  office  at  most  once  during  May  7,  2008. 

As  this  example  shows,  rjL  logic  has  improved  T]i\f  logic  by  permitting  usage  restrictions  on 
authorizations.  We  proceed  to  give  two  further  examples  of  the  increased  expressive  power  of 
logic. 

4.3.2  Filling  Painkiller  Prescriptions 

We  now  consider  the  specification  of  pharmacy  policies  for  dispensing  painkilling  medications  in 
rjL  logic.  To  prevent  addiction,  painkillers  are  tightly  regulated.  A  patient  must  submit  a  valid 
doctor’s  prescription  to  the  pharmacist  and  may  only  receive  a  few  days  worth  of  pills  at  a  time. 
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Only  after  those  pills  are  used  can  the  patient  be  given  more  medication.  The  policies  described 
below  enforce  these  restrictions. 

This  example  requires  the  application-specific  sort  int  for  integers,  function  symbols  -|-  and  —  for 
integer  addition  and  subtraction,  and  a  <  order  constraint  over  integers.  In  addition,  the  following 
predicates  are  used: 


submit_order 
script(iir,  n) 
is_doctor(i4) 
record  (K,  n) 

receipt(Tl,  K,  n,  i) 

request_dispense(n) 
pills(it',  n) 


A  request  to  submit  a  prescription. 

A  prescription  for  principal  K  to  have  n  days  worth  of  pills. 
Principal  D  is  a  doctor. 

A  pharmacist’s  record  that  principal  K  has  n  remaining  days 
worth  of  pills  on  his  prescription. 

A  receipt  that  a  prescription  signed  by  principal  D  for  principal 
K  to  have  n  days  worth  of  pills  during  interval  i  was  received. 

A  request  that  n  days  worth  of  pills  be  dispensed. 

Principal  K  has  n  days  worth  of  pills. 


Suppose  that  a  doctor  D  wishes  to  issue  a  prescription  for  n  days  worth  of  painkilling  medication 
to  his  patient  K.  He  does  so  by  issuing  the  consumable  credential  (D) {scnpt{K ,  n)  @  i)[[ti,oo)]. 
i  is  the  interval  over  which  the  prescription  is  valid  and  medication  may  be  dispensed,  ti  is  the 
time  at  which  the  doctor  signs  the  prescription.  Note  that  the  left  endpoint  of  i  need  not  match 
ti]  for  example,  the  doctor  may  sign  the  prescription  several  days  before  the  surgery  for  which  the 
medication  is  needed. 

The  first  policy,  order,  specifies  the  procedure  for  submitting  a  doctor’s  prescription  to  a  phar¬ 
macy: 


order  :  (VA':principal.Vt:time.VZI:principal.Vn:int.Vi:interval. 

(A)submit_order  @  [t,t]  —o 
(D) {scnpt{K ,  n)  @i)  @  [t,  t]  ^ 

(P)is_doctor(T))  @  [t,t]  D 
((P)  (record (iT,  n)  @  i)  @  [t,  oo)  (g) 

{P)rece\pt{D,  K,n,i)  @  [t,  oo)))[(— oo,  oo)] 

Principal  K  begins  a  transaction  at  time  t  by  creating  the  single-use  credential  ( A)submit_order[[t,  t]] . 
The  pharmacy  P  accepts  the  prescription  and  issues  a  receipt  if  the  following  conditions  are  met: 

1.  (P)(script(A,  n)  @  i)  @  [t,t] — at  time  t,  there  must  exist  a  prescription  for  K  to  have  some 
medication  over  some  interval. 

2.  (P)is_doctor(i4)  @  [t,t] — the  pharmacy  P  must  verify  that  principal  D  is  indeed  a  certified 
doctor  at  time  t. 

Under  these  conditions,  the  pharmacy  will  create  an  internal  record  of  the  prescription  so  that 
medication  can  be  dispensed  by  issuing  the  credential  (P) (record (A,  n)  @  i)  @  [t,oo).  In  addition, 
the  pharmacy  will  give  K  a  receipt  of  the  transaction,  modeled  as  (P)receipt(P,  K,  n,  i)  @  [ti,  oo). 

The  second  policy  of  the  system,  dispense,  specifies  the  conditions  under  which  medication  can 
be  dispensed: 
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dispense  :  (VK:principal.Vn':int.Vt:time.V-P:principal.Vn:int.Vtj:time. 
(i^)request_dispense(n')  @  [t,t] 

{P){record{K,n)  @  [t,tf])  @  [t,t]  -« 

(n'  >  0)  i)  (n'  <  n)  i)  (n'  <  7)  i) 

(pills(i^,  n')  @  [t,  oo)  (8) 

(P)( record (i^,  n  —  n')  @  [t  +  n',tf])  @  [t,  oo)))[(— oo,  oo)] 

A  principal  K  requests  that  n'  days  worth  of  medication  be  dispensed  at  time  t  by  creating  the 
single-use  credential  (Ar)request_dispense(n')[[t, t]].  The  pharmacy  P  carries  out  this  request  and 
updates  its  internal  record  if  the  following  conditions  are  met: 

1.  (P)(  record  (AT,  n)  @  [t,  t/])  @  [t,  t] — at  time  t,  the  pharmacy  has  a  record  that  K  may  be  given 
n  days  worth  of  medication  during 

2.  n'  >  0 — the  number  of  days  worth  of  medication  requested  is  positive.  This  prevents  negative 
requests  that  would  increase  the  amount  listed  in  the  pharmacy’s  record. 

3.  n'  <  n — the  number  of  days  worth  of  medication  requested  is  no  more  than  the  total  remaining 
amount  K  may  have.  This  prevents  K  from  exceeding  his  prescribed  amount. 

4.  n'  <  7 — the  number  of  days  worth  of  medication  requested  is  no  more  than  7.  This  ensures 
that  at  most  one  week’s  worth  of  medication  is  dispensed  at  one  time. 

Provided  that  these  conditions  are  satisfied,  the  pharmacy  will  dispense  n'  pills  to  K.  K  possesses 
these  pills  from  time  t  onward.  The  pharmacy  also  updates  its  record  by  deducting  n'  from  the 
number  of  pills  remaining  on  A^’s  prescription.  In  addition,  the  interval  over  which  K  may  request 
these  remaining  pills  is  changed  to  \t  +  n' Rf].  The  expiration  date  remains  the  same,  but  the  left 
endpoint  is  moved  so  that  K  must  wait  n!  more  days  before  new  pills  can  be  dispensed.  This 
controls  the  average  rate  at  which  AT  can  consume  the  pills. 

Observe  that  it  is  critical  that  the  pharmacy’s  record  is  a  consumable  credential.  If  the  record 
was  persistent,  it  would  be  impossible  to  accurately  deduct  medication  dispensed  and  adjust  the 
validity  interval:  one  could  use  the  old  record  to  obtain  more  medication  than  prescribed. 


4.3.3  A  Homework  Assignment  Administration  System 


In  this  example,  we  consider  the  application  of  logic  to  a  homework  assignment  administration 
system.  Time  is  used  to  express  the  release  and  due  dates  of  assignments,  while  linearity  is  used 
to  model  changes  of  state  in  the  system. 

We  postulate  sorts  for  assignments  and  courses:  assignment  and  course,  respectively.  In  addition, 
we  introduce  the  following  predicates: 


request_view(A,  C) 
request_submit(A,  C) 
is_professor(P,  C) 
is_student(S,  C) 
is_assignment(yl,  C) 
may_view(S,  A,  C) 
may_submit(S,  A,  C) 
change_date(yl,  C,  4, 


A  request  to  view  assignment  A  of  course  C. 

A  request  to  submit  answers  for  assignment  A  of  course  C. 
P  is  a  professor  for  course  C. 

S  is  a  student  enrolled  in  course  C. 

A  is  an  asignment  for  the  students  in  course  C. 

S  may  view  assignment  A  of  course  C. 

S  may  submit  answers  for  assignment  A  of  course  C. 

A  request  to  change  the  release  and  due  dates  for  assignment 
A  of  course  C  to  and  respectively. 
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We  also  assume  an  administrating  principal,  admin,  that  manages  the  system.  This  adminis¬ 
trator  is  responsible  for  initializing  the  courses  in  the  system  at  the  beginning  of  each  semester. 
First,  the  administrator  issues  multi-use  certificates  identifying  the  instructors  of  each  course.  For 
example,  if  principal  P  is  the  professor  for  course  C  during  Spring  2008,  the  administrator  issues 
(admin)  is_professor(P,  C')[S'08].  Second,  the  administrator  issues  a  multi-use  certificate  for  each 
student  enrolled  in  each  course.  For  example,  if  principal  5  is  a  student  enrolled  in  course  C  during 
Spring  2008,  the  administrator  issues  (admin)  is_student(5,  C')[S'08]. 

During  the  semester,  a  professor  P  can  create  an  assignment  A  for  course  C  with  release  date  p 
and  due  date  td  by  stating  (P)is_assignment(A,  C')[[tr,  td]]-  Note  that  this  is  a  single-use  credential. 
This  is  done  to  permit  the  professor  to  change  the  release  and  due  dates,  if  desired  (using  the 
change  policy). 

The  system’s  first  policy  specifies  the  conditions  under  which  a  principal  may  view  an  assign¬ 
ment: 


view  :  (V5:principal.V^:assignment.VC':course. 
Vt:time.VP:principal.Vtr:time.Vtrf:time. 

(S')request_view(^,  C)  @  [t,t]  -« 

(admin)  is_student(5,  C)  @  [t,t]  D 
(P)is_assignment(74,  C)  @  [tr,td] 

(admin) is_professor(P,  C)  @  [tr,td]  A 
{t  >  tr)  i) 

( (admin)  may _view(5,  C)  @  [t,t]  (g) 

(P)is_assignment(^,  C)  @  td]))[(— oo,  oo)] 

A  principal  S  can  make  a  request  to  view  assignment  A  for  course  C  at  time  t  by  creating  the 
certificate  (5')request_view(yl,  C')[[t,  t]].  The  adminstrator  will  let  S  view  the  assignment  at  time  t, 
represented  as  (admin)may_view(5',  A,  C)  @  if  the  following  four  conditions  are  met: 

1.  (admin) is_student(S',  C')@[t,  t] — the  administrator  affirms  that  principal  5  is  a  student  enrolled 
in  course  C  at  the  time  the  request  is  made,  that  is,  at  time  t. 

2.  (P)is_assignment(A,  C)  @  [tr,td] — some  principal  P  affirms  that  A  is  an  assignment  for  course 
C  with  release  and  due  dates  E  and  td,  respectively. 

3.  (admin) is_professor(P,  C*)  @  [tr,td] — the  administrator  affirms  that  the  above  principal  P  is 
actually  an  instructor  for  course  C  for  the  duration  the  assignment,  that  is,  during  [tr,td\. 

4.  t  >  tr — the  time  at  which  student  S  requests  access  is  after  the  assignment  has  been  released. 
This  prevents  students  from  viewing  a  draft  assignment. 

Note  that  the  is_assign merit  credential  is  consumed  and  immediately  regenerated  by  this  policy.  It 
must  be  a  consumable  credential  to  facilitate  the  changing  of  the  assignment  release  and  due  dates, 
and  yet  it  cannot  be  permanently  consumed  in  this  policy  because  then  the  first  viewing  would 
destroy  the  assignment. 

The  system  also  includes  a  policy  that  describes  how  a  principal  may  submit  answers  to  an 
assignment: 
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submit  :  (V5:principal.V^:assignment.VC':course. 

Vt:time.VP:principal.Vtr:time.Vtrf:time. 

(S')request_submit(yl,  C)  @  [t,t]  -« 

(admin) is_student(5,  C)  @  [t,t]  D 
(P)is_assignment(yl,  C)  @  [tr,td] 

(admin) is_professor(P,  C)  @  [tr,td]  T> 

{t  G  [tr,td])  i) 

((admin)may_submit(5,  C)  @  [t,t]  <8) 

(P)is_assignment(yl,  (7)  @  [t,.,  td]))[(— oo,  oo)] 

This  policy  is  quite  similar  to  the  view  policy.  A  principal  S  signals  his  intent  to  submit  answers  for 
assignment  A  in  course  C  at  time  t  by  constructing  the  credential  (S')request_submit(A,  C')[[t,  t]]. 
The  administrator  allows  S  to  submit  answers  at  time  t,  represented  in  the  submit  policy  as 
(admin)may_submit(5,  A,  (7)  @  if  four  conditions  are  met.  The  first  three  conditions  are  the 
same  as  those  for  the  view  policy.  The  fourth  condition  is  t  G  [tr,td],  that  is,  the  time  of  request 
must  be  before  the  assignment  due  date  (and  after  the  release  date).  This  prevents  late  assignments 
from  being  submitted.  Note  that,  as  in  the  view  policy,  the  is_assignment  credential  is  regenerated. 
The  final  policy  permits  a  course  professor  to  change  assignment  release  and  due  dates: 

change  :  (VP:principal.VA:assignment.V(7:course. 
Vt(,:time.Vt'^:time.Vtr:time.Vtd:time. 

(P)change_clate(A,  (7,  ^ 

(P)is_assignment(A,  (7)  @  [tr,td] 

(admin)is_professor(P,  (7)  D 
(P)is_assignment(A,  (7)  @  [t).,  t'j)[(— oo,  oo)] 

A  principal  P  can  initiate  the  process  of  changing  the  release  and  due  dates  of  assignment  A  for 
course  C  to  f),  and  t'^,  respectively,  by  issuing  the  credential  (P)change_date(A,  (7,  t),,  t'^).  If  the  same 
principal  P  has  already  declared  A  to  be  an  assignment  for  course  (7,  represented  in  the  change 
policy  as  (P)is_assignment(A,  (7)  @  [trHd]:  and  if  the  administrator  affirms  P  to  be  a  professor  for 
course  (7,  represented  as  (admin)is_professor(P,  (7),  then  the  dates  will  be  changed.  This  policy 
finally  justifies  the  decision  to  make  is_assignment  credentials  usable  only  once:  if  the  credential 
was  persistent,  then  the  assignment  would  have  two  release  dates  and  two  due  dates. 

4.4  Met  a- theory 

Now  that  r]L  logic  has  been  formally  described  and  its  increased  expressive  power  has  been  illus¬ 
trated  by  examples,  we  turn  to  a  study  of  its  meta-theoretic  properties.  As  for  previous  logics,  we 
show  that  natural  properties  of  r]L  logic  indeed  hold,  to  increase  confidence  in  the  logic’s  foundations 
and  demonstrate  its  soundness. 

Before  considering  any  meta-theorems  that  are  interesting  in  their  own  right,  we  must  state  a 
few  lemmata: 

Lemma  4.1. 

1.  If  S;  T;  A  ^  7,  then  S,  S';  T,  T';  A  ^  7. 
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£  If  S;  /  D  I";  T;A^-f  andE;^^ID  T,  then  S;  T  D  T;  A  ^  7. 

3.  If  \=  C  and  S;  'I',  C;  F;  A  7,  then  S;  'F;  F;  A  7. 

4.  IfE\-t\s  and  S,  x:s;  'F;  F;  A  7,  t/ien  S;  [t/x]'F;  [t/x]F ;  [t/x]A  [t/x]'). 

Proof.  All  parts  follow  by  structural  induction  on  the  given  derivation.  □ 

In  the  presentation  of  rjjy  logic’s  meta-theory  (cf.  Section  3.3.1),  we  studied  an  identity  principle 
that  generalized  the  in  it  rule  from  atomic  propositions  to  compound  propositions.  It  is  possible  to 
make  the  same  generalization  in  r]L  logic.  As  the  following  theorem  shows,  from  the  assumption 
that  proposition  A  is  a  resource  during  interval  /,  it  is  possible  to  conclude  that  A  is  a  resource 
during  any  subinterval  T  of  I.  Because  the  theorem  concerns  resource  hypotheses  and  each  resource 
hypothesis  must  be  used  exactly  once,  no  other  resource  hypotheses  are  permitted  here. 

Theorem  4.2  (Identity).  For  all  propositions  A,  ifE-,'4f\=ID  I' ,  then  S;  'F;  F;  A[I]  A[/'] . 

Proof.  By  structural  induction  on  A.  □ 

In  the  presentation  of  r]N  logic,  we  also  examined  subsumption  as  a  meta-theoretic  property. 
The  most  basic  form  of  subsumption  occurred  on  the  right  side  of  from  a  proof  that  A  is  true 
on  interval  /,  we  were  able  to  construct  a  similar  proof  that  A  is  true  on  a  subinterval  I' .  This 
notion  of  right  subsumption  from  77V  logic  can  be  easily  extended  to  rjL  logic;  the  theorem  and 
proof  are  no  more  complicated. 

Theorem  4.3  (Right  Subsumption). 

1.  If  S;  F;  A  ^  A[I]  and  S;  ^  ^  /  D  T,  then  S;  F;  A  ^  A[T] . 

2.  //  S;  'F;  F;  A  {K  affirms  A)  at  I  and  S;  'F  ^  /  A  then  S;  'F;  F;  A  {K  affirms  A)  at  I' . 

Proof.  By  simultaneous  structural  induction  on  the  first  given  derivation.  □ 

For  77V  logic,  we  also  considered  subsumption  on  the  left  of  We  were  able  to  replace  an 
assumption  that  A  is  true  on  interval  I'  with  an  assumption  that  A  is  true  on  a  superinterval  I. 
It  is  also  possible  to  extend  this  notion  of  left  subsumption  to  777  logic.  Because  the  logic  now 
includes  fact  hypotheses,  the  theorem  must  be  expanded  to  make  an  analogous  statement  about 
fact  hypotheses. 

Theorem  4.4  (Left  Subsumption). 

1.  If  S;  F;  A,  A[/']  ^  7  and  S;  ^  ^  /  A  P,  then  S;  F;  A,  A[I]  7. 

A  //S;^;F,A[/'];A  ^  7  and  ^  /  D  I',  then  S;  F,  A[/];  A  ^  7. 

Proof.  By  simultaneous  nested  induction  on  the  structures  of  A  and  the  first  given  derivation.  □ 

Finally,  we  examined  the  admissibility  of  cut  in  our  study  of  the  meta-theory  of  77V  logic.  We 
can  also  establish  the  admissibility  of  cut  for  t]l  logic.  However,  two  significant  modifications  must 
be  made  to  the  theorem  statement.  First,  when  replacing  the  resource  hypothesis  A[I]  with  a  proof 
of  A[I],  we  must  be  careful  to  respect  the  single-use  nature  of  resources.  For  this  reason,  the  cut 
rules  join  the  distinct  multi-sets  of  resources,  A  and  A^,  used  by  the  two  proofs  being  combined. 
Second,  a  cut  rule  for  fact  hypotheses  is  needed.  The  proof  used  to  replace  a  fact  hypothesis  must 
prove  a  fact,  and  therefore  cannot  contain  resource  hypotheses. 
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Theorem  4.5  (Admissibility  of  Cut). 

1.  If  S;  T;  A  ^  A[I]  and  S;  T;  A',  A[I]  7,  then  S;  T;  A',  A  ^  7. 

A  ^  A[/]  and  S;  T,  A[/];  A  ^  7,  t/ien  S;  T;  A  ^  7. 

5.  //S;4';r;A  ^  (ATaffirms  A)  at/,  S;  4';  T;  A',  A[/]  ^  (ATaffirmsS)  at/',  andE;^^IT  /', 
then  S;  'b;  F;  A',  A  {K  affirms  B)  at 

Proof.  By  simultaneous  nested  induction  on  the  structures  of  A  and  the  given  derivations.  □ 

Because  of  the  difficulty  of  encoding  the  meta-theory  of  linear  logics  in  Twelf,  we  have  not 
attempted  to  mechanically  verify  the  above  theorems,  instead  relying  on  traditional  pencil- and- 
paper  proofs.  However,  Reed’s  work  on  hybrid  LF  [37]  shows  promising  preliminary  steps  toward 
a  framework  for  mechanically  verifying  linear  meta-theorems.  We  expect  that  verifying  the  meta¬ 
theory  of  r]L  logic  would  be  a  straightforward  exercise  in  such  a  framework. 

In  Section  3.3.2,  we  established  a  formal  correspondence  between  777V  logic  and  GP  logic,  in 
addition  to  the  metatheory  for  tjn  logic  itself.  It  is  also  possible  to  establish  a  correspondence 
between  r]L  logic  and  a  linear  version  of  GP  logic  (as  in  [23]).  However,  in  the  interest  of  space,  we 
will  not  present  a  linear  GP  logic,  and  therefore  do  not  state  the  correspondence  theorem. 

4.5  Conclusion 

In  this  chapter,  we  revised  tjn  logic  to  account  for  access  control  policies  that  require  finitely  usable 
credentials,  creating  rji  logic.  We  illustrated  the  new  logic’s  increased  expressiveness  through  two 
examples:  office  entry  and  homework  administration.  Finally,  we  conducted  a  small  meta-theoretic 
study  of  the  logic,  culminating  in  a  proof  of  the  admissibility  of  cut.  In  the  following  chapter,  we 
continue  to  discuss  tjl  logic  by  constructing  an  alternative,  natural  deduction  formulation  of  the 
logic  and  a  simple  proof  checker  for  it. 


Chapter  5 


A  Proof 


Checker  for  rji  Logic 


In  the  previous  chapter,  we  developed  a  linear  authorization  logic  with  explicit  time  by  naturally 
modifying  rjN  logic  to  possess  judgments  for  single-use  resources  and  multi-use  facts.  We  saw  that 
rjL  logic  is  sufficiently  expressive  to  model  authorization  policies  that  require  single-use  credentials 
or  other  mutable  state. 

Proof-carrying  authorization  (PCA)  [6,  7]  is  an  appealing  mechanism  for  enforcing  such  policies 
in  practice.  In  PCA,  the  reference  monitor  for  a  given  resource  requests  a  proof  of  authorization 
for  each  access  request.  Only  after  the  reference  monitor  has  verified  the  proof’s  correctness  will 
access  be  granted.  For  this  reason,  a  sound  (and  complete)  proof  checker  is  a  critical  component 
of  any  PCA  architecture. 

As  the  first  small  step  toward  a  PCA  architecture  based  on  logic,  this  chapter  concerns  the 
implementation  of  a  proof  checker  for  the  logic.  First,  we  present  the  well-formedness  rules  for  terms, 
constraints,  and  propositions  that  have  been  deferred  by  earlier  chapters.  Next,  we  introduce  proof 
terms  and  describe  a  bidirectional  type  checking  system  built  from  the  logic.  Finally,  we  discuss  the 
implementation  techniques  used  in  handling  the  diverse  aspects  of  the  logic,  most  notably  linearity 
and  constraints. 

A  proof-of-concept  implementation  of  the  proof  checker  presented  in  this  chapter  is  available 
online  at  http : //www . andrew . emu . edu/user/hdeyoung/etalogic/ checker. 

5.1  Formal  Proof  Checker 

5.1.1  Sorts,  Function  Symbols,  and  Predicates 

We  retain  from  rjL  logic  the  distinguished  sorts  principal,  time,  and  interval  for  principals,  times,  and 
intervals  (sets  of  time),  respectively.  The  language  of  sorts  can  still  be  extended  with  application- 
specific  sorts,  but  this  open-endedness  must  now  be  made  explicit  for  the  purpose  of  implementation. 
Sort  constants  a  are  introduced  to  this  end,  completing  the  language  of  sorts: 

s  ::=  principal  |  time  |  interval  |  a 

To  list  the  available  sort  constants,  a  signature  is  needed: 

::=  •  I  a:sort  |  ... 
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h  ok 

h  <I>  ok  orsort  ^  Dom(<I>) 
h  •  ok  h  a:sort  ok 

<I>  h  Sj  :  sort  for  all  1  <  i  <  n  h  s'  :  sort  /  ^  Dom(<I>) 
h  ^>,  /:(si  X  •••  X  Sn)  ^  s'  ok 

<k  h  Sj  :  sort  for  all  1  <  i  <  n  p  ^  Dom(<I>) 
h  $,p:(si  X  •  •  •  X  Sn)  ok 

h  s  :  sort 

h  «!>  ok  h  ^  ok  h  ^  ok  h  ^  ok  «f>(Q;)  =  sort 

<I>  h  principal  :  sort  $  h  time  :  sort  <I>  h  interval  :  sort  <I>  h  a  :  sort 


Figure  5.1:  The  well-formedness  rules  for  signatures  and  sorts. 


In  fact,  sort  constants  and  the  signatures  declaring  them  were  implicitly  assumed  in  the  presen¬ 
tation  of  r]L  logic  in  Chapter  4.  However,  because  the  available  sort  constants  remain  unchanged 
throughout  a  derivation,  we  avoided  introducing  them  explicitly  to  simplify  the  initial  discussion. 

Like  sort  constants,  function  symbols  and  predicates  were  glossed  over  in  Chapter  4  to  avoid 
obscuring  the  core  of  rjL  logic.  Because  the  available  function  symbols  and  predicates  also  remain 
unchanged  throughout  a  derivation,  they,  too,  can  be  included  in  the  signature  <L.  We  write 
/:(si  X  •  •  •  X  Sn)  s'  to  indicate  that  /  is  a  function  symbol  taking  n  arguments  of  sorts  si, . . . , 
and  returning  a  term  of  sort  s',  and  write  p:(si  x  •  •  •  x  Sn)  to  show  that  p  is  a  predicate  on  n  terms 
of  sorts  Sl,  . . . ,  Sn. 


::=  •  I  4>,  arsort  |  4>,  /:(si  x  •  •  •  x  Sn)  ^  s'  |  ^,p:si  x  •  •  •  x  Sn 

The  judgment  h  ok  means  that  is  a  well-formed  signature;  its  rules  are  given  in  Figure  5.1. 

We  write  h  s  :  sort  for  the  judgment  that  s  is  a  well-formed  sort  in  the  signature  Figure  5.1 
gives  the  rules  for  this  judgment.  The  predefined  sorts  are  well- formed  in  any  context  and  a  sort 
constant  is  well- formed  in  if  it  appears  in  4>. 

5.1.2  Terms 

Although  the  representation  of  principals,  times,  and  intervals  is  left  unspecified  in  rj^  logic,  our 
proof  checker  must  fix  constructors  for  these  terms.  We  choose  to  give  no  explicit  constructors  for 
principals,  and  instead  rely  on  term  parameters  as  the  sole  source  of  principals.  In  keeping  with 
the  examples  from  Chapters  3  and  4,  we  let  time  constants  range  over  integers  (n)  and  positive 
and  negative  infinities  (oo  and  — oo).  Similarly,  an  interval  is  constructed  as  a  pair  of  terms  {[t,  t']). 
We  also  allow  the  application  of  function  symbols  to  a  list  of  terms.  This  leads  to  the  following 
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h  S  ok 


|-(j)ok  <I>|-Soka;^  Dom(S)  h  s  :  sort 

$  h  •  ok  <I>  h  S,  x:s  ok 


^>;  S;  h  t  :  s 


^>;S  h  ok 
S;  'I'  h  n  :  time 


^>;S  h  ok 
<!>;  S;  'k  h  oo  :  time 


^>;  S  h  ok 
S;  'k  h  — oo  :  time 


^k;  S;  'k  h  t  :  time  <k;  S;  'k  h  t'  :  time  ^k;  S;  'k  ^  t'  >  t 
S;  'k  h  [t,  t']  :  interval 

^if)  =  {si  X  ■■■  X  Sn)  ^  s'  <k;  S;  'k  h  ti  :  Sj  for  all  1  <  i  <  n  <k;  S  h  'k  ok  S(x)  =  s 
<k;  S;  h /(ti, . . .  ,tn)  :  s'  ^>;  S;  h  x  :  s 


Figure  5.2:  The  well-formedness  rules  for  parameter  contexts  and  terms. 


language  of  terms: 

t  ::=  n  I  oo  I  —  oo  |  [t, t']  |  /(ti, . . .  ,tn)  \  x 

As  in  earlier  chapters,  we  require  an  unordered  context  of  term  parameters  ascribed  with  sorts  to 
track  the  parameters  in  scope: 

S  ::=  •  I  S,  x:s 

The  well-formedness  rules  for  contexts  of  parameters  are  given  in  Figure  5.2. 

With  the  language  of  terms  defined,  we  should  now  describe  the  conditions  under  which  terms 
are  well-sorted.  It  is  natural  to  assume  that  the  time  constructors  n,  oo,  and  — oo  have  sort  time 
under  any  conditions,  as  they  do  not  include  parameters  or  any  complex  structure.  Also,  we  assign 
the  codomain  sort  of  function  symbol  /  to  /(ti, . . .  ,tn)  if  ti, . . . ,  and  tn  have  the  domain  sorts  of 
/.  Finally,  it  is  standard  practice  to  assign  sort  s  to  parameter  x  if  this  assignment  is  given  in  the 
parameter  context  S. 

However,  the  conditions  under  which  the  term  [t,  t']  should  have  sort  interval  are  not  as  clear.  We 
intend  that  both  t  and  t'  have  sort  time.  If  this  is  adopted  as  the  only  condition  for  well-sortedness, 
how  should  [t,  f']  be  interpreted?  There  are  at  least  two  options. 

We  could  interpret  [t,  t']  as  an  unordered  pair  of  times  that  corresponds  to  the  set  of  times 
between  min{t,  t'}  and  max{t,  t'}.  Or,  we  could  interpret  \t,t']  as  the  empty  set  whenever  t  is 
larger  than  t' . 

Neither  option  is  particularly  compelling,  as  they  do  not  correspond  to  typical  interpretations  of 
mathemetical  intervals.  It  seems  cleaner  to  instead  require  that  the  left  endpoint  of  an  interval  be 
no  larger  than  the  right  endpoint.  Ordering  constraints  t'  >t  from  a  context  'k  (cf.  Section  5.1.3) 
are  therefore  needed  during  sorting.  We  write  <k;  S;  T  h  t  :  s  for  the  judgment  that  t  has  sort  s. 
Figure  5.2  gives  its  rules. 
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S;  'I'  h  C*  constraint 

S;  'I'  h  t  :  time  S;  'I'  h  t'  :  time 
S;  'I'  h  t  >  t'  constraint 

^>;  S  h  ok 

h  S  ok  S;  'I'  h  C  constraint 

^>;S  h  •  ok  h  4',C'ok 

Figure  5.3:  The  well-formedness  rule  for  constraints  and  constraint  contexts. 


5.1.3  Constraints 

Only  ordering  constraints  t  >  t'  on  times  are  required  for  the  proof  checker  implementation.  Al¬ 
though  it  would  be  relatively  straightforward  to  introduce  other  constraints,  we  do  not  choose  to 
do  so.  The  language  of  constraints  is  therefore  simply: 

C  ::=t>  t' 

Superset  constraints  I  T  I'  are  not  needed  for  the  proof  checker:  as  discussed  in  Section  5.2.4, 
they  can  be  translated  to  a  conjunction  of  >  constraints.  Keeping  this  in  mind,  we  continue  to  use 
I  A  I'  to  simplify  the  notation. 

The  judgment  4>;  S;  'k  h  C  constraint  means  that  constraint  C  is  well-formed.  The  ordering 
constraint  t  >  t'  is  well-formed  if  both  t  and  t'  are  well-formed  times.  This  rule  is  given  in  Figure  5.3. 
As  alluded  to  in  previous  rules,  a  context  of  constraints  is  needed: 

4'  ::=  •  I  4',C 

We  write  <1;  S  h  'k  ok  when  \k  is  a  well-formed  constraint  context.  Figure  5.3  gives  the  rules  for 
this  judgment. 

We  continue  to  write  4>;  S;  T  \=  C  for  the  judgment  that  constraint  C  holds.  In  the  following 
presentation  of  bidirectional  type  checking,  the  constraint  solver  is  taken  as  a  black  box.  The 
specific  decision  procedure  that  was  implemented  is  discussed  in  Section  5.2.4. 

5.1.4  Propositions  and  Types 

The  propositional  connectives  are  retained  from  logic,  but  we  refine  the  description  of  atomic 
propositions.  An  atomic  proposition  P  is  now  a  predicate  p  applied  to  a  list  of  terms  ti, . . .  ,t„: 
p{ti, . . . ,  tn)-  The  language  of  propositions  is  summarized  by  the  following  grammar: 

A,  B  ::=  p{ti, . . . ,  tn)  \  A0B\1\A&:B\T\A(BB\A^B\\A\AdB  \  \fx:s.A  \  3x:s.A 
I  {K)A  \A@I\CdA\CaA 


5.1.  FORMAL  PROOF  CHECKER 


53 


S;  'I'  h  ^4  prop 


=  Si  X  ■■■  X  Sn  4>;  S;  'I'  h  :  Sj  for  all  1  <  i  <  n  4>;  S;  4^  h  ^  prop  4>;  S;  4^  h  S  prop 
S;  'I'  h  p{ti, . . .  ,tn)  prop  <5;  S;  'I'  h  yl  (g)  i?  prop 


S  h  'I'  ok  4>;  S;  'k  h  yl  prop  4>;  S;  'k  h  S  prop  <k;  S  h  'k  ok 

4>;  S;  'k  h  1  prop  S;  'k  h  A  &  B  prop  S;  'k  h  T  prop 

4>;  S;  'k  h  ^4  prop  4>;  S;  'k  h  i?  prop  <k;  S;  'k  h  A  prop  4>;  S;  'k  h  i?  prop 

4>;  S;  'k  h  ^  ©  i?  prop  4>;  S;  'k  h  yl  ^  i?  prop 


<k;  S;  'k  h  ^  prop 
4>;  S;  'k  h  lA  prop 

<k  h  s  :  sort  4>;  S,  x:s;  'k  h  A  prop 
4>;  S;  'k  h  Vx:s.yl  prop 

4>;  S;  'k  h  :  principal  <k;  S;  'k  h  A  prop 
^k;  S;  'k  h  {K)A  prop 


<k;  S;  'k  h  A  prop  4>;  S;  'k  h  B  prop 
S;  'k  h  A  D  i?  prop 

4>  h  s  :  sort  <k;  S,  x:s;  'k  h  ^  prop 
S;  'k  h  3x-.s.A  prop 

4>;  S;  'k  h  y4  prop  4>;  S;  'k  h  /  :  interval 
4>;  S;  'k  h  A  @  /  prop 


4>;  S;  'k  h  C  constraint  4>;  S;  'k,  C  h  y4  prop 
<k;  S;  'k  h  C  i)  A  prop 


S;  \k  h  7  cat 


4>;  S;  'k  h  C  constraint  4>;  S;  'k,  C  h  ^  prop 
4>;  S;  'k  h  C  A  A  prop 


<k;  S;  'k  h  A  prop  4>;  S;  'k  h  /  :  interval 
4>;  S;  4^  h  A[I]  cat 


^k;  S;  'k  h  K  :  principal  S;  'k  h  yl  prop  4>;  S;  'k  h  /  :  interval 
<k;  S;  'k  h  {K  affirms  A)  at  I  cat 


Figure  5.4:  The  well-formedness  rules  for  propositions  and  categorical  judgments. 


The  judgment  <k;  S;  T  h  A  prop  means  that  ^4  is  a  well- formed  proposition.  Its  rules  are  given  in 
Figure  5.4. 

We  should  call  particular  attention  to  the  rules  for  Ct)  A  and  C  A  ^4.  In  both  rules,  proposition 
A  is  checked  for  well-formedness  in  the  presence  of  constraint  C,  reminiscent  of  dependent  product 
and  sum  types.  The  presence  of  constraint  C  is  necessitated  by  the  rule  for  interval  well-formedness. 
Consider  the  proposition  Vx:time.(a:  >  1)  i)  yl  @  [1,  x],  for  example.  Without  the  constraint  x  >  1, 
the  interval  [l,x]  (and  consequently  the  whole  proposition)  is  not  well- formed.  A  similar  example 
using  A  is  3x:time.(x  >  1)  A  A  @  [T,  x]. 

In  addition  to  propositions,  categorical  judgments  are  required.  These  correspond  to  the  single¬ 
use  truth  and  affirmation  judgments  from  r]L  logic: 

7  ::=  A[I]  \  {K  affirms  A)  at  I 
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We  write  S;  'I'  h  7  cat  for  the  judgment  that  7  is  a  well-formed  categorical  judgment.  For  it  to 
be  well-formed,  each  A,  I,  and  in  7  must  be  a  well-formed  proposition,  interval,  and  principal, 
respectively.  Figure  5.4  gives  the  rules  for  this  judgment. 

5.1.5  Proof  Terms  and  Their  Typing  Judgments 

In  order  to  verify  the  correctness  of  proofs  through  type  checking,  explicit  proof  objects,  called  proof 
terms,  must  be  included  in  the  formal  system.  Each  proof  term,  denoted  by  the  meta-variables  M 
and  N,  corresponds  to  a  single  step  in  a  derivation.  We  choose  a  set  of  natural  deduction  proof 
terms: 


M,  N  ::=  u  \  v 
I  (M  :  7) 

I  M  (8)  I  let  M  =  ui  ^  U2  in  N 
I  *  I  let  M  =  -k  in  N 
I  (M,  N)  I  fst  M  I  snd  M 

I  0 

I  ini  M  I  inr  M  \  (case  M  of  ini  tti  ^  W  |  inr  U2  N2) 

I  Xi,u.M  I  MW/ 

I  !M  I  let  M  =  Iv  in  N 
I  Xi,v.M  I  M  iV  / 

I  Ax.M  I  M[t] 

I  pack  t  with  M  \  let  M  =  pack  x  with  uin  N 
I  _  affirms  M 

I  (-)M  I  let  M  =  {_)u  in  N 
I  @+  M  I  M 
I  X.M  I  Mb 

I  _  A  M  I  let  M  =  _/\u  in  N 

We  use  u  and  v  (and  their  decorated  variants)  for  linear  and  unrestricted  variables,  respectively. 
Because  each  variable  can  be  identified  as  linear  or  unrestricted  from  the  proof  term  that  introduced 
it,  this  naming  scheme  carries  no  meaning,  but  is  instead  solely  adopted  for  convenience.  The  syntax 
of  the  remaining  proof  terms  is  a  mixture  of  notation  from  programming  languages  and  notation 
mimicking  the  type  corresponding  to  the  proof  term. 

It  should  be  noted  that  nearly  all  type  annotations  have  been  eliminated  from  the  proof  terms. 
(In  some  cases,  the  omitted  annotations  are  replaced  by  _.)  This  is  a  consequence  of  the  use  of 
bidirectional  typing  judgments. 

There  are  two  bidirectional  typing  judgments  for  proof  terms:  a  synthesis  judgment  M  |  7  and 
a  checking  judgment  M  [  7.^  As  in  earlier  chapters,  these  basic  judgments  are  extended  to  allow 

^The  reader  may  find  it  useful  to  note  that  the  synthesis  and  checking  judgments  roughly  correspond  to  neutral 
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!>;  S;  h  F  ok 

h  F  ok 

V  ^  Dom(F)  S;  'k  h  A  prop 

S;  'k  h  /  :  interval 

!>;  S  h  I'  ok 

h  •  ok 

h  F,t;:A[/|  ok 

!>;  S;  h  A  ok 

1>;S  h  ok 

<I>;S;1'  h  Aok 

u  ^  Dom(A)  S;  'k  h  A  prop 

<k;  S;  rk  h  /  :  interval 

^>;S;^'h-ok  ^>;  S;  h  A, ok 


Figure  5.5:  The  well-formedness  rules  for  proof  contexts. 


assumptions,  which  are  ascriptions  of  types  to  proof  variables  in  this  case.  The  context  T  contains 
unrestricted  variable  typings,  and  A  contains  linear  variable  typings,  u:A[I].  Figure  5.5 

gives  the  well-formedness  rules  for  these  contexts.  The  full  bidirectional  typing  judgment  forms 
are: 


d>;S;^';F;A  h  Mt7 

$;S;^;F;AhMi7 

These  two  judgments  differ  from  an  operational  perspective.  The  type  is  considered  an  output 
of  the  synthesis  judgment  and  an  input  to  the  checking  judgment,  justifying  the  names:  M  |  7 
synthesizes  a  type  7  for  M,  while  M  J,  7  eheeks  M  at  type  7.  It  is  the  operational  distinction 
that  allows  most  type  annotations  to  be  omitted  from  proof  terms.  In  most  cases  where  a  type 
annotation  would  normally  be  needed,  the  checking  judgment  is  used,  and  therefore  the  purported 
type  is  given  as  an  input.  This  reduction  of  required  type  annotations  is  a  standard  benefit  of 
bidirectional  type  checking  [36]. 

5.1.6  Inference  Rnles 

We  now  proceed  to  describe  in  detail  a  few  inference  rules  for  the  typing  judgments.  As  a  general 
rule  of  thumb,  introduction  rules  and  closed-scope  elimination  rules  (having  proof  terms  of  the  form 
let  ...  =  ...  in  . . .)  use  the  checking  judgment  M  J,  7,  while  the  remaining  rules  use  the  synthesis 
judgment  M  |  7. 

First,  compare  the  hyp  rule  for  synthesizing  a  type  for  a  linear  hypothesis  with  the  hyp'  rule  for 
checking  the  type  of  a  linear  hypothesis: 

<!>;  S;  ^  /  D /'  ,  , 

l>;S;^;F;u:A[I]  ^  u]  A[I]  S;  F;  mA[/]  ^  u  [  A[I'] 

These  rules  reiterate  the  input-output  mode  difference  between  the  synthesis  and  checking  judg¬ 
ments.  Because  the  hyp  rule  synthesizes  a  type  for  the  hypothesis,  it  must  output  the  largest  correct 


and  normal  deductions  for  logics.  The  directionality  of  the  arrow  notation,  however,  is  often  reversed  in  presentations 
of  neutral  and  normal  deductions. 
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interval;  producing  a  smaller  interval  would  unnecessarily  throw  away  information.  On  the  other 
hand,  because  the  hyp'  rule  checks  the  type  of  the  hypothesis  against  its  input,  any  input  interval 
I'  smaller  than  the  assumed  interval  I  gives  a  valid  type.  (In  practice,  the  hyp'  rule  is  not  needed: 
it  is  derivable  from  hyp  and  the  other  rules.) 

Next,  we  examine  the  tJ,  rules  for  mediating  between  the  two  judgments: 

ch;S;d/;r;AhMTA[/]  0);  S;  d/ ^  /  D  J' 

^;S;^;r;AhMiA[/'] 

^>;  S;  T;  A  h  M  t  {K  affirms  A)  at  I  ^>;  S;  ^  ^  _ 

5^.  p.  ^  p  ^  I  affirms  A)  at  T  Tiaffirms 

The  H  rule  states  that  if  type  A[I]  can  be  synthesized  for  M  and  /'  is  a  subinterval  of  /,  then 
M  checks  against  type  vl[I'].  From  an  operational  perspective,  this  means  that  if  we  are  trying  to 
check  M  against  a  type,  we  can  synthesize  a  type  for  M  and  verify  that  the  two  types  are  related 
by  subsumption.  |J,affirms  is  the  analogous  rule  for  affirmation  types. 

The  It  rule  mediates  between  the  two  judgments  in  the  opposite  direction: 

^;S;d/;r;AhMi7 

ch;S;dr;r;Ah(M:7)T7 

This  rule  states  that  if  the  proof  term  M  is  annotated  with  a  type  7  and  if  M  indeed  checks  against 
7,  then  we  may  synthesize  7  as  the  type  of  M. 

Next,  we  consider  the  introduction  and  elimination  rules  for  linear  implication: 

<h;  S,  z:interval;  D  i;  T;  A,  h  M  |  B[i] 

Xi,u.M  lA^  B[I] 

Ai  h  Ml  A  ^  5[I]  ^>;  S;  T;  A2  h  iV  |  yl[/']  ^>;  S;  ^  I  T /' 

^>;  S;  T;  Ai,  A2  h  AT'N  T  t  B[T] 

The  proof  term  for  introduction  of  linear  implication  is  Ai,  u.M,  where  i  and  u  are  the  interval  and 
proof  assumptions  created,  respectively,  {i  is  needed  because  intervals  can  appear  in  implication 
elimination  proof  terms.)  Usually  a  lambda  expression  would  have  its  parameter  annotated  with  a 
type.  However,  because  the  —oI  rule  checks  against  a  type,  writing  Xi,  u:yl[i]  .M  would  be  redundant: 
A  is  already  known  from  the  input  to  the  checking  judgment. 

Most  other  type  annotations  on  proof  terms  can  be  omitted  for  the  same  reason.  This  pattern 
does  not  apply  to  the  elimination  proof  term  for  linear  implication,  however.  The  —oE  rule  shows 
that  a  type  must  be  synthesized  for  M'N  /'.  By  synthesizing  a  type  for  M,  we  learn  A,  B,  and 
I.  N  must  then  be  checked  against  Without  the  annotation  I'  in  the  proof  term,  we  would 

not  know  /'  and  would  be  forced  to  guess  it.  It  is  therefore  not  possible  to  maintain  a  standard 
bidirectional  system  and  also  eliminate  the  annotation  /'  from  this  proof  term. 

For  the  same  reason,  the  elimination  proof  term  for  unrestricted  implication  also  requires  an 
interval  annotation,  while  the  introduction  term  needs  no  annotations. 

The  full  set  of  inference  rules  for  the  typing  judgments  M  |  7  and  M  |  7  is  given  in  Figure  5.6. 
To  avoid  cluttering  the  rules,  all  contexts  and  types  are  assumed  to  be  well-formed. 
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^;S;^;r;tx:yl[/]  h  u]  A[I] 


<l>-,E-,'F-,T,v:AlIl,-Lv]A[I] 


tjaffirms 


a);S;vI/;r;AhMTA[/]  S;  ^1/ ^  J  D 

^>;  S;  T;  A  h  M  t  {K  affirms  A)  at  I  ^  I  ^  I\ 

^>;  S;  T;  A  h  M  i  (K  affirms  A)  at  I'  ^ 

cD;S;vI/;r;AhMi7 

c^;S;'Ir;r;Ah(M:7)T7 

^;S;^;r;Ai  ^  M  [  A[I]  <5;S;^;r;A2  ^  N  [  B[I] 
S;  r;  Ai,  As  h  M  ®  A  i  A  ®  B[I] 


^;S;^;r;Ai  hMT  A2,ui:A[I],U2:B[I]  h  N  j  ^ 

S; F;  Ai,  As  F  let  M  =  mi  (g)  tts  in  A  J,  7 


«F;S;^;r;Ai  hMTl[/]  S;  T;  As  h  A  j  7 
S;  'F;  F;  Ai,  As  F  let  M  =  *  in  A  J,  7 


S;  F;  A  h  M  i  A[I]  S;  F;  A  h  A  j  B[I] 
^;S;^;F;Ah  (M,A)i7l&S[/] 


Ah  M  1  A  k  B[I] 
^>;S;^';F;  A  h  fst  M  1  A[I] 


A  h  M  ^  A  k  B[I] 
^>;S;«';F;  A  h  snd  M  j  -B[I] 


^;S;'I/;F;Ah()iT[/] 


^;S;^;F;AhMi7l[/] 

^;S;^;F;AhinlMi^©5[/] 


^;S;^;F;Ah  MiB[J] 

^>;  S;  F;  A  h  inr  M  i  A  ©  B[I] 


^;S;^;F;  Ai  h  MtFl©5[I] 
$;S;^;F;As,ni:7l[/]  h  Aii7 

_ ^;S;^;F;A2,^2:^[/]  F  Asi7 _  ^ 

<1>;  S;  'F;  F;  Ai,  As  F  case  M  of  ini  ui  ^  Ni  \  inr  its  ^  -^2  i  7 

<F;  S,  z:interval;  'F,  I  ©  i;  F;  A,  it:yl[i]  F  M  J,  B[i] 

Ah  Xi,u.M  lA^  B[I] 

<l>]E]'l>]T]Aih  M]  A^  B[I]  ^>;S;«';F;  As  F  Ai  yl[/'] 

<F;  S;  'L]  F;  Ai,  As  F  M~A  I'  ]  B[/'] 


Figure  5.6:  The  bidirectional  typing  rules. 
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S;  T;  Ai  h  M  T  !^[/]  S;  T,  As  h  iV  j  7 

^>;  S;  T;  •  h  !M  i  IA[I]  ^>;  S;  'L;  T;  Ai,  As  h  let  M  =  !z;  in  A  j  7 

S,  i:interval;  D  i]  F,  A  h  M  J,  B[i] 

S;  T;  A  h  Xi,  v.M  j  A  D  B[I] 

^>;  S;  T;  A  h  M  t  A  D  B[Ij  ^>;  S;  T;  •  h  A  j  A[I']  ^>;  S;  ^  /  D  /'  ^  ^ 

<l>;S;«';r;AhM  A/'tB[/'] 


^;S,x:s;^;r;AhMi^[I] 

S;  T;  A  h  Ax.M  j  Vx:s.yl[/] 


<l>;S;^';r;Ah  MtVx:s.A[I] 

^;S;^;r;A  h  M[t]  ]  [t/x\A[I] 


<F;  S;  T;  A  h  M  j  [t/x]  A[/] 

S;  'F;  F;  A  h  pack  t  with  M  [  3x:s.A[I] 

S;  F;  Ai  h  M  T  3x:s.A[I]  S,  x:s;  'L;  F;  As,  u:A[I]  h  A  j  7 
S;  'F;  F;  Ai,  As  F  let  M  =  pack  x  with  it  in  A  J,  7 

^;S;^;F;AhMi  yl[/]  .  S;  F;  A  h  M  j  (A  affirms  A)  at  / 

S;  F;  A  h  _  affirms  M  j  (A  affirms  A)  at  /  $;S;^;F;A  h  (_)M  j  (A)yl[/] 

$;S;^;F;AihMT(A)A[/] 

^  I  D  T 

S;  F;  As,  ii:A[/]  h  A  j  (A  affirms  B)  at  T 
^>;  S;  F;  Ai,  As  h  let  M  =  {_)u  in  A  i  (A  affirms  B)  at  I' 


^;S;^;F;AhMi  A[/] 

^>;  S;  F;  A  h  @+M  j  A  @  /[/'] 

^;S;^,C;F;Ah  Mj  A[J]  . 

S;  F;  A  h  A.M  j  C  i)  A[I] 


^>;S;^';F;A  h  Mt 
<F;S;«';F;A  h  @-Mt  A[/] 

^>;S;^';F;Ah  MtCi)  yl[/] 

^>;S;^';F;  A  h  MT]  A[I] 


$;S;^;F;Ah  Miyl[/] 

$;S;^;F;Ah  .AMjCA  A[/] 

^;S;^;F;Ai  h  MTCA  A[/]  S;  C;  F;  As,  it:A[/]  h  A  j  7  ^ 
$;S;^;F;Ai,AsFletM  =  _Aitin  Ai7 


Figure  5.7:  The  bidirectional  typing  rules,  continued. 
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5.2  Implementing  the  Proof  Checker 

The  combination  of  linearity  and  constraints  in  ijl  logic  introduces  several,  albeit  small,  imple¬ 
mentation  challenges.  The  techniques  used  in  resolving  these  problems  are  not  unique  to  this 
implementation,  but  are  instead  borrowed  from  previous  work.  We  first  discuss  explicit  substitu¬ 
tions  and  de  Bruijn  indices  as  general  techniques,  and  then  turn  our  attention  to  linearity  and  the 
constraint  solver. 

5.2.1  Explicit  Substitutions 

To  avoid  implementing  a  direct  substitution  function  for  terms  and  proofs,  one  can  encode  the 
substitution  operation  as  an  explicit  proof  term.  Substitutions  can  then  be  lazily  computed  during 
type  checking.  This  method  also  prevents  the  size  explosion  that  results  from  directly  substituting 
a  large  object  for  many  variable  occurrences. 

Despite  the  advantages  of  explicit  substitutions,  there  is  a  possible  tradeoff.  With  the  addition 
of  substitution  objects,  any  hope  for  the  equivalence  of  terms  and  propositions  based  on  purely 
syntactic  means  is  lost.  For  example,  the  term  t  and  the  substitution  [t/x]  applied  lazily  to  x  are 
equivalent,  but  do  not  share  the  same  syntax.  This  burdens  the  implementation  with  functions  for 
normalizing  terms  and  propositions  and  for  determining  equivalence  of  these  normal  forms. 

In  the  end,  explicit  lazy,  and  not  direct  eager,  substitutions  based  on  the  Xa  calculus  of  Abadi 
et  al.  [5]  were  implemented  in  the  proof  checker.  Because  neither  the  advantage  of  efficiency  nor  the 
disadvantage  of  additional  code  were  particularly  compelling  factors  for  a  small  proof-of-concept 
implementation,  the  use  of  explicit  substitutions  was  primarily  chosen  as  an  exercise. 

5.2.2  de  Bruijn  Indices 

Rather  than  using  a  named  representation  for  proof  and  term  variables,  de  Bruijn  indices  were 
chosen,  de  Bruijn  indices  name  each  occurrence  of  a  variable  according  to  the  number  of  variable 
bindings  that  separate  that  occurrence  from  its  binder.  For  example,  Xx.Xy.y  {Xz.x  z)  would  be 
represented  with  de  Bruijn  indices  as  A.A.l  (A. 3  1). 

de  Bruijn  indices  simplify  the  implementation  of  a  type  checker  by  eliminating  the  need  for 
a-conversion;  unlike  named  representations  of  proof  terms,  a-equivalent  terms  have  syntactically 
identical  de  Bruijn  representations  since  the  underlying  names  are  ignored.  In  addition,  they 
cooperate  well  with  explicit  substitutions.  It  is  for  these  reasons  that  de  Bruijn  indices  were 
chosen. 

It  is  natural  to  expect  that  the  implementation  would  mirror  the  formal  system  by  separating 
the  assumptions  into  the  five  contexts.  However,  this  interacts  poorly  with  de  Bruijn  indices. 
Suppose  that,  as  part  of  an  atomic  proposition,  some  type  in  A  mentions  the  term  parameter  with 
de  Bruijn  index  1  in  S.  Now,  if  a  new  term  parameter  is  bound,  the  index  1  in  this  type  must  be 
shifted  to  2,  or  else  the  type  will  refer  to  the  wrong  parameter.  Such  shifts  would  need  to  occur  for 
dt,  F,  and  A  every  time  a  new  term  parameter  is  bound. 

A  better  solution  is  to  combine  all  of  the  five  contexts  into  one.  Under  the  convention  that  a 
context  entry  is  well- formed  in  the  tail  of  its  context,  shifts  will  not  be  incurred  for  each  new  term 
parameter.  Instead,  each  de  Bruijn  index  in  the  context  will  remain  fixed  thoughout  its  lifetime. 
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Only  when  a  type  or  constraint  is  used  from  the  context  will  it  need  to  be  shifted.  This  is  the 
approach  taken  by  the  proof  checker  implementation. 

5.2.3  Linearity 

Enforcing  the  single-use  nature  of  linear  hypotheses  during  type  checking  requires  careful  consider¬ 
ation.  At  a  first  glance,  the  problem  might  appear  relatively  straightforward:  type  checking  should 
simply  ensure  that  each  hypothesis  is  distributed  to  exactly  one  recursive  call.  But,  the  situation 
is  complicated  by  the  nondeterministic  presentation  of  some  of  the  inference  rules.  As  an  example, 
consider  the  01  rule: 


h  Mi  A[I]  <h;  S;  T;  As  b  A  j  5[/]  ^ 

^;S;^;r;Ai,A2  b  M®  Ai  ® 

Ai,  As  is  the  multiset  of  resources  that  must  be  used  in  the  proof  term  M  0  N.  However,  there 
are  exponentially  many  ways  to  distribute  these  resources  among  the  premises,  and  it  would  seem 
difficult  to  find  a  correct  distribution.  In  fact,  through  the  variables  it  uses,  the  proof  term  lists 
(almost)  all  of  the  resources  consumed.  The  input-output  method  [15]  leverages  this  information 
to  eliminate  the  non  determinism  of  splitting  the  context. 

Under  this  approach,  the  proof  term  M0N,  for  example,  is  checked  against  A0B[I]  as  follows. 
First,  all  of  the  incoming  resources,  say  A+,  are  used  to  check  M  against  A[I].  By  mentioning 
only  some  of  the  variables  from  A^,  the  proof  term  M  consumes  only  some  of  these  resources  and 
outputs  the  rest,  say  A.  Then,  A  is  used  to  check  N  against  B[I].  Again,  N  consumes  only  some 
of  these  resources  and  outputs  the  rest,  say  A“.  Thus,  M  greedily  (and  deterministically)  decided 
how  to  divide  the  resources  between  itself  and  N . 

The  implementation  of  the  proof  checker  follows  this  model.  However,  explicitly  returning  only 
the  unconsumed  part  of  the  context  would  interfere  with  the  numbering  scheme  for  de  Bruijn 
indices:  the  de  Bruijn  index  would  no  longer  correspond  to  the  distance  from  the  front  of  the 
context.  So,  instead,  the  full  context  is  returned  after  flagging  each  resource  as  “consumed”  or 
“unconsumed.” 

This  marking  scheme  is  further  complicated  by  (),  the  proof  term  for  T,  because  it  can  consume 
resources  but  does  not  list  them  explicitly.  If  A"*"  is  used  to  check  ()  against  T[/],  then  ()  might 
consume  these  resources,  or  it  might  produce  them  as  output.  Therefore,  a  third  flag  is  introduced: 
“possibly  consumed.”  Because  it  can  consume  any  unconsumed  resources  in  the  current  context, 
()  represents  a  fallback  option  for  any  of  those  resources  that  are  not  later  consumed.  ()  therefore 
re-marks  all  “unconsumed”  resources  as  “possibly  consumed.”  Since  ()  is  only  a  fallback,  later 
proof  terms  may  re-mark  “possibly  consumed”  resources  as  “consumed.” 

The  implementation,  by  using  this  three  flag  input-output  method,  can  deterministically  and 
efficiently  type  check  linear  proof  terms. 

5.2.4  Constraints 

The  superset  constraint  solver  for  the  proof  checker  posed  a  unique  challenge:  how  should  superset 
constraints  reconcile  interval  parameters  i  and  explicitly  constructed  intervals 
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This  can  be  resolved  by  requiring  all  terms  of  sort  interval  to  be  explicitly  constructed  intervals. 
Under  this  approach,  the  superset  constraint  2  [^1^2]  is  considered  an  abbreviation  for 

a  conjunction  of  two,  now  primitive,  >  constraints  among  times:  >  ti  and  t2  >  — 

constraints  can  then  be  solved  using  a  simple  decision  procedure  that  builds  a  reflexive,  transitive 
closure  by  saturation. 

For  this  to  work,  only  the  representation  of  interval  parameters  needs  to  be  changed.  Consider 
the  introduction  of  an  interval  parameter  i  by  universal  quantification:  Vz:interval.^.  Instead  of 
using  i  directly,  two  time  parameters  ii  and  12,  with  12  >  ii,  are  created  and  i  is  replaced  with 
[ii,i2]-  Then,  checking  can  continue.  Thus,  the  original  proposition  is  effectively  translated  to: 

Vii:time.Vi2:time.(i2  >  h)  i)  ([[ii, ^2]/*]^) 

Similar  operations  are  performed  for  the  corresponding  proof  term  and  for  the  introduction  of  inter¬ 
val  parameters  in  the  existential  quantification  and  implication  rules.  Because  interval  parameters 
are  eliminated  immediately  before  use,  no  other  cases  need  to  be  considered. 


5.3  Conclusion 

In  this  chapter,  we  have  described  a  proof  checker  for  rjL  logic.  We  first  reduced  the  level  of 
abstraction  by  refining  the  treatment  of  sorts  and  atomic  propositions,  and  then  examined  the 
intricacies  of  verifying  the  well-formedness  of  terms,  particularly  intervals,  and  propositions.  Next, 
we  presented  a  bidirectonal  type  checking  system  upon  which  the  proof  checker  is  built.  Finally, 
we  discussed  a  few  of  the  implementation  challenges  and  the  techniques  used  to  resolve  them. 


Chapter  6 

Conclusion 


In  this  thesis,  we  have  argued  that,  to  be  widely  applicable,  authorization  logics  should  be  able  to 
express  the  kinds  of  time-dependent  access  control  policies  that  arise  naturally  in  practice.  This 
thesis  has  therefore  focused  on  the  development  and  study  of  an  authorization  logic  with  an  explicit 
notion  of  time. 

In  summary,  this  thesis  makes  two  conceptual  contributions  and  a  small  practical  contribution. 
First,  by  developing  logic,  it  demonstrates  that  an  authorization  logic  suitable  for  expressing 
time-dependent  policies  can  be  easily  obtained  by  relativizing  the  judgments  of  a  time-unaware 
authorization  logic  to  time  intervals.  Moreover,  through  meta-theoretic  properties,  this  thesis  has 
shown  the  logic  to  be  sound  and  formally  proven  it  to  be  an  extension  of  previous  work. 

Second,  by  extending  logic  with  linearity  to  create  qi  logic,  this  thesis  has  exhibited  the 
ability  of  linearity  and  explicit  time  to  coexist  in  a  logic.  Also,  a  careful  study  of  the  logic’s 
meta-theory  was  carried  out. 

Finally,  by  presenting  a  bidirectional  type  checker,  this  thesis  has  made  the  first,  very  small 
step  toward  a  full-scale  PC  A  architecture  based  on  q^  logic.  The  successful  implementation  of  this 
type  checker  suggests  that  such  a  PCA  system  should  be  easily  constructible. 

Despite  these  contributions,  significant  opportunities  for  continued  research  on  q  logic  remain. 
This  thesis  is  therefore  concluded  with  a  brief  description  of  possible  future  work. 


6.1  Future  Work 

Directions  for  future  research  relating  to  q  logic  encompass  both  immediate  and  long-term  goals. 
We  outline  these  possibilities  in  order  of  increasing  scope. 

Formal  Comparison  to  Other  Logics  and  Languages.  The  authorization  logics  and  lan¬ 
guages  that  handle  time  of  which  we  are  aware  all  do  so  by  extra- logical  mechanisms.  In  contrast, 
q  logic  internalizes  time.  To  transport  results  from  other  logics  to  q  logic,  it  would  be  useful  to 
formally  compare  q  logic  with  these  differing  approaches.  In  particular,  the  currentTime()  predicate 
of  SecPAL  [10]  would  serve  as  an  interesting  starting  point. 
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PC  A  Architecture.  A  stated  goal  of  this  thesis  was  the  design  of  a  logic  for  time-dependent  autho¬ 
rization  policies  that  could  serve  as  the  foundation  for  a  PCA-based  policy  enforcement  mechanism. 
Since  its  design  has  now  been  completed,  it  is  natural  to  consider  creating  and  deploying  a  full-scale 
PC  A  architecture  based  on  r]  logic.  In  fact,  this  work  is  already  underway;  as  a  component  of  his 
doctoral  thesis,  Deepak  Garg  is  implementing  a  PCA  file  system  for  his  own  variant  of  rj  logic  [22]. 

Policy  Analysis.  As  the  access  control  policies  of  systems  are  often  exceedingly  numerous  and 
complex,  policy  analysis  tools  are  critical  if  authorization  logics  are  to  be  successfully  adopted  in 
practice.  Such  analysis  can  be  carried  out  for  the  logic  as  a  whole  using  non-interference  theorems, 
and  for  specific  policies  using  the  completeness  of  focusing  (for  example). 

The  study  of  policy  analysis  for  an  authorization  logic  via  non-interference  theorems  was  initi¬ 
ated  by  Garg  and  Pfenning  [24].  For  example,  they  established  an  affirmation  fiow  analysis  theorem 
for  GP  logic:  in  the  absence  of  a  connection  (or  flow  of  affirmation)  between  principals  Ki  and  K2, 
no  statement  made  by  Ki  can  influence  iP2’s  affirmations.  Abadi  subsequently  showed  a  related 
property  for  DGG  [2] .  We  expect  that  these  results  can  be  adapted  to  rj  logic.  Additionally,  it  will 
likely  be  possible  to  prove  other  non-interference  theorems  specific  to  time,  including  a  “time  flow” 
analysis:  in  the  absence  of  a  connection  between  intervals  R  and  R,  no  event  occurring  during  R 
can  influence  an  event  during  R. 

In  related  work,  Garg  et  al.  [23]  also  developed  a  method,  based  on  the  completeness  of  focusing, 
for  establishing  the  correctness  of  specific  policies.  We  believe  that  rj  logic  satisfies  the  completeness 
of  focusing,  but  it  needs  to  be  formally  verified.  After  doing  so,  it  should  be  possible  to  analyze 
individual  policies  by  this  method. 

Privacy  Policies.  Gomplementing  access  control,  privacy  policies  represent  the  other  crucial 
component  of  security.  The  growing  emphasis  placed  on  privacy  is  evidenced  by  the  large  num¬ 
ber  of  recent  regulations  enacted  by  the  United  States  government,  such  as  the  Health  Insurance 
Portability  and  Accountability  Act  (HIPAA)  and  the  Family  Educational  Rights  and  Privacy  Act 
(FERPA). 

With  its  importance  to  security,  efforts  toward  a  combined  logic  for  authorization  and  privacy 
are  underway.  Garg  et  al.  [23]  have  introduced  K  has  A,  a  modality  for  modeling  possession.  We 
believe  that  the  addition  of  a  time-dependent  has  to  t]  logic  would  permit  certain  time-dependent 
privacy  policies  to  be  expressed.  Por  example,  K  might  be  allowed  to  circumvent  a  given  privacy 
policy,  provided  he  can  satisfy  an  obligation  A  during  interval  I.  It  seems  plausible  that  the 
obligation  could  be  represented  as  something  like  {K  has  {A  1) )[-!]•  Further  examination  of 

practical  privacy  policies  is  needed  to  verify  this  claim. 
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